In August, Adobe released a security patch for Magento. We encourage Magento sites to update their systems promptly. Additionally, one of our clients was targeted by automated scripts, so the team needs to enable Google reCAPTCHA to prevent further attacks.

We also discussed addressing session loss related to the SameSite cookie. It’s important to implement the SameSite attribute correctly and avoid setting it to None.

Agenda

SameSite Cookie for the external payment call
Google reCaptcha on Checkout
Accessing Redis from PHPStorm

SameSite Cookie for the external payment call

SameSite cookie explained: https://web.dev/articles/samesite-cookies-explained

There are many guides online that suggest setting the SameSite cookie attribute to None to resolve the loss of session after redirecting from external payment. However, we believe this approach is not correct. This setting can increase security risks, including:

Greater vulnerability to Cross-Site Request Forgery (CSRF) attacks.
Higher likelihood of Cross-Site Scripting (XSS) attacks, which can result in session hijacking.

To resolve this issue, we can use “Redirect solution”.

This sequence diagram visually represents the flow of the checkout and payment process, including the use of a hidden form to handle the SameSite cookie issue. It shows how the process remains within the same site context by using server-side redirects and client-side form submissions, which helps maintain session and cookie integrity.

There is a PR to resolve the SameSite Cookie issue: MC-31574: PayflowPro Checkout Broken with SameSite Cookie

Google reCaptcha on Checkout

In July and August, several of our clients received numerous guest orders containing unexpected data.

The team reviewed the access logs and database and discovered that someone had created an automation script to place orders using guest.

Copy to Clipboard

After researching many solutions, the team decided to enable Google reCaptcha v2 invisible on checkout page. Google reCAPTCHA v2 Invisible is a variant of the reCAPTCHA service that provides a way to verify that a user is a human without interrupting their experience. Unlike the traditional reCAPTCHA that shows a checkbox or a set of challenges, the invisible reCAPTCHA operates in the background and only presents a challenge if it detects suspicious activity.

Therefore, we recommend that Magento website owners enable Google reCAPTCHA if their site is being targeted by automated scripts that create fraudulent orders with guest accounts.