scott001 Posted October 12, 2018 Report Share Posted October 12, 2018 My site is a secure https site, and when I run tests on it the cookies that Revive Ad Server sets are non-https, insecure cookies. Is there a way that I can force the cookies to be https? Quote Link to comment Share on other sites More sharing options...
AngryWarrior Posted October 14, 2018 Report Share Posted October 14, 2018 +1 - I´d like to hear about this too! ? Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted November 12, 2018 Report Share Posted November 12, 2018 Interesting - can you describe the setup more? What tag type, how the tags have been configured for SSL, etc? Quote Link to comment Share on other sites More sharing options...
scott001 Posted April 25, 2019 Author Report Share Posted April 25, 2019 I am still getting these warnings. The adserver's cookies are not secure https: The Secure directive By adding the Secure instruction in the Set-Cookie HTTP header, the server informs the browser that it is allowed to transmit the cookie over secure connection only. Read this blog post to learn more. Caution: Ensure that the HTTP to HTTPS redirect is activated on your website. Otherwise, the Secure cookie may not be sent on HTTP request. The following Cookies are not secure, you should add the Secure instruction in the Set-Cookie HTTP header: EXAMPLES: set-cookie: spcsrf=a7926253af246ee7f09f04062fcde42d; Expires=Thu, 25-Apr-19 19:03:00 GMT; Path=/; HttpOnly; SameSite=Strict set-cookie: UTGv2=D-h4f4bae1c99aeac150608db7df7d860a3547; Expires=Fri, 24-Apr-20 17:03:00 GMT; Path=/ set-cookie: OAID=a32d8dd64ecb4a95ef3092870b2080ea; expires=Fri, 24-Apr-2020 17:03:00 GMT; Max-Age=31536000; path=/ set-cookie: _OXLIA[2202]=pqj0p0-326; expires=Sat, 25-May-2019 17:03:00 GMT; Max-Age=2592000; path=/ Anyone know how to fix this? The answer probably lies in this file: lib/pear/HTTP/Request.php Quote Link to comment Share on other sites More sharing options...
scott001 Posted April 25, 2019 Author Report Share Posted April 25, 2019 I don't have my domain in the conf cookie setting...does this matter? If I add it should I include www? [openads] installed=1 requireSSL=1 sslPort=443 language=en [max] requireSSL=1 sslPort=443 [database] type=mysqli host=localhost port=3306 [cookie] permCookieSeconds=31536000 maxCookieSize=2048 domain= viewerIdDomain= Quote Link to comment Share on other sites More sharing options...
Artistan Posted February 4, 2020 Report Share Posted February 4, 2020 my lg.php is calling http and then redirecting to https but getting a cookie from http Quote Link to comment Share on other sites More sharing options...
Artistan Posted February 4, 2020 Report Share Posted February 4, 2020 our load balancer was forwarding to servers on port 80. had to add the `HTTP_FRONT_END_HTTPS` or similar for verifying SSL_REQUEST Quote Link to comment Share on other sites More sharing options...
scott001 Posted February 4, 2020 Author Report Share Posted February 4, 2020 6 hours ago, Artistan said: our load balancer was forwarding to servers on port 80. had to add the `HTTP_FRONT_END_HTTPS` or similar for verifying SSL_REQUEST Can you please tell me exactly what you added and where? That would be a huge help...thank you! Quote Link to comment Share on other sites More sharing options...
Artistan Posted February 6, 2020 Report Share Posted February 6, 2020 Our load balancer forwards requests to the web servers via port 80 (insecure on the local network) due to that, the web server + Revive does not automatically know that is should be serving secure links and cookies. In order to resolve this we had to add a forwarded header to the load balancer that tells the server + Revive code that the connection is secure from the users browser. search for `function setupConfigVariables` in the code to see what i am talking about, there are many different server settings to allow `$GLOBALS['_MAX']['SSL_REQUEST'] = true;` andrewatfornax 1 Quote Link to comment Share on other sites More sharing options...
scott001 Posted February 20, 2020 Author Report Share Posted February 20, 2020 I found the code you mean, I just don't know exactly what you did to the code to change it. Here is my code: function setupConfigVariables() { $GLOBALS['_MAX']['MAX_DELIVERY_MULTIPLE_DELIMITER'] = '|'; $GLOBALS['_MAX']['MAX_COOKIELESS_PREFIX'] = '__'; $GLOBALS['_MAX']['thread_id'] = uniqid(); // Set a flag if this request was made over an SSL connection (used more for delivery rather than UI) $GLOBALS['_MAX']['SSL_REQUEST'] = false; if ( (!empty($_SERVER['SERVER_PORT']) && !empty($GLOBALS['_MAX']['CONF']['openads']['sslPort']) && ($_SERVER['SERVER_PORT'] == $GLOBALS['_MAX']['CONF']['openads']['sslPort'])) || (!empty($_SERVER['HTTPS']) && ((strtolower($_SERVER['HTTPS']) == 'on') || ($_SERVER['HTTPS'] == 1))) || (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && (strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https')) || (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && (strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) == 'on')) || (!empty($_SERVER['HTTP_FRONT_END_HTTPS']) && (strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on')) || (!empty($_SERVER['FRONT-END-HTTPS']) && (strtolower($_SERVER['FRONT-END-HTTPS']) == 'on')) ) { // This request should be treated as if it was received over an SSL connection $GLOBALS['_MAX']['SSL_REQUEST'] = true; } // Maximum random number (use default if doesn't exist - eg the case when application is upgraded) $GLOBALS['_MAX']['MAX_RAND'] = isset($GLOBALS['_MAX']['CONF']['priority']['randmax']) ? $GLOBALS['_MAX']['CONF']['priority']['randmax'] : 2147483647; list($micro_seconds, $seconds) = explode(" ", microtime()); $GLOBALS['_MAX']['NOW_ms'] = round(1000 *((float)$micro_seconds + (float)$seconds)); // Always use UTC when outside the installer if (substr($_SERVER['SCRIPT_NAME'], -11) != 'install.php') { // Save server timezone for auto-maintenance $GLOBALS['serverTimezone'] = date_default_timezone_get(); OA_setTimeZoneUTC(); } } Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted February 24, 2020 Report Share Posted February 24, 2020 Hi @scott001, Yes, that what @Artistan is talking about. So, for example, if you have a proxy server in front of Revive Adserver, and the proxy server is doing all the SSL, and then forwarding requests on to Revive Adserver over HTTP, then you could get your proxy server to inform Revive Adserver that it should act as though it's really operating on HTTPS (and not HTTP), by setting up your proxy server to send in an extra header in the request to Revive Adserver. This could be, for example, by sending the HTTP_X_FORWARDED_PROTO header with value "https". Or you could send the HTTP_X_FORWARDED_SSL header with value "on". etc. Quote Link to comment Share on other sites More sharing options...
scott001 Posted February 24, 2020 Author Report Share Posted February 24, 2020 (edited) As you can see, within that file all are set to on or https...is there a setting somewhere else for this? My cookies are not secure, I do not use the cloud or have a proxy server. How can I make my cookies secure? In config here are my settings: [openads] installed=1 requireSSL=1 sslPort=443 language=en [max] requireSSL=1 sslPort=443 [cookie] permCookieSeconds=31536000 maxCookieSize=2048 domain= viewerIdDomain= Edited February 24, 2020 by scott001 Quote Link to comment Share on other sites More sharing options...
scott001 Posted February 26, 2020 Author Report Share Posted February 26, 2020 Any help here would be appreciated. My cookies are still not secure. I don't follow how to add in an header line, sorry. Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted February 27, 2020 Report Share Posted February 27, 2020 Hi @scott001, If you are not running a proxy server that is intercepting HTTPS traffic, and then forwarding the traffic on to Revive Adserver over HTTP, then all that discussion about ensuring that your proxy includes an appropriate header is not relevant. Based on your comment on February 5, where you responded to someone saying that they had an issue with this kind of setup, I had assumed that you had the same kind of setup as well. However, if that's not the case, then we need to go back to square one, I'm afraid. (Clear details of the problem and the set up from the outset are always helpful!) Can I please refer you back to my comment on November 12, where I ask for more details on your setup. You say that you are running a secure HTTPS site. Do you mean that the site you are putting advertising on is running on HTTPS? Do you mean that your Revive Adserver site is running on HTTPS? Do you mean that both are? If your Revive Adserver site can be accessed via HTTPS, can it also be accessed via HTTP? What kind of tag are you using to deliver banners with? Have you modified the tags to set the required HTTPS settings before inserting them into your HTTPS enabled site on which the advertising is being shown? Thanks. Quote Link to comment Share on other sites More sharing options...
scott001 Posted March 6, 2020 Author Report Share Posted March 6, 2020 Both the Revive adserver site and the site I display my ads are on the same server and domain: https://www.celiac.com Both are also set to be https under the SSL certificate. I have even tried using these in .htaccess to force secure cookies an https: #force https <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] </IfModule> # #FORCE SECURE COOKIES <IfModule mod_headers.c> # only for Apache > 2.2.4: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure # # lower versions: #Header set Set-Cookie HttpOnly;Secure </IfModule> but the error still shows: https://www.dareboost.com/en/report/a_25e3a5b31a0612f6f36f66767?reportIds=a_25e3a5b31a0612f6f36f66767 Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted March 7, 2020 Report Share Posted March 7, 2020 If you're trying to use that option from the report site, is mod_headers installed in your Apache service? Quote Link to comment Share on other sites More sharing options...
scott001 Posted March 9, 2020 Author Report Share Posted March 9, 2020 Yes, mod_headers is installed and working. Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted March 16, 2020 Report Share Posted March 16, 2020 Hi @scott001, Okay, thanks - have you enabled debug logging in Apache and traced the logs to confirm that the rules you are putting in are being triggered, and why they are not working as expected? Quote Link to comment Share on other sites More sharing options...
scott001 Posted March 17, 2020 Author Report Share Posted March 17, 2020 I currently have the force secure cookies .htaccess code in my site's root. Should it instead be in the directory for Revive's root, or perhaps in the directory where the cookie set php files are? Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted March 17, 2020 Report Share Posted March 17, 2020 I guess that will depend on how your web server is configured re: how .htaccess files are detected and processed! Quote Link to comment Share on other sites More sharing options...
scott001 Posted April 17, 2020 Author Report Share Posted April 17, 2020 So in root .htaccess is being read and executed, and I do have that code in there for force cookies to be https, yet it does not work. Quote Link to comment Share on other sites More sharing options...
andrewatfornax Posted April 21, 2020 Report Share Posted April 21, 2020 Which I understand is incredibly frustrating for you @scott001, but I am not sure how any of us can help with this. We don't have access to your server and how it's configured, or access to any of the logs - and even if we did, because we're talking about .htaccess rules and Apache, it's kind of beyond what we can support anyway. Have you had any luck with an Apache support group, who may be better able to advise why the rules are not working as expected? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.