Jump to content
scott001

Insecure Cookies Warnings - Non-SSL Cookies

Recommended Posts

I am still getting these warnings. The adserver's cookies are not secure https:

The Secure directive

By adding the Secure instruction in the Set-Cookie HTTP header, the server informs the browser that it is allowed to transmit the cookie over secure connection only. Read this blog post to learn more.

Caution: Ensure that the HTTP to HTTPS redirect is activated on your website. Otherwise, the Secure cookie may not be sent on HTTP request.

The following Cookies are not secure, you should add the Secure instruction in the Set-Cookie HTTP header:

EXAMPLES:

  • set-cookie: spcsrf=a7926253af246ee7f09f04062fcde42d; Expires=Thu, 25-Apr-19 19:03:00 GMT; Path=/; HttpOnly; SameSite=Strict
  • set-cookie: UTGv2=D-h4f4bae1c99aeac150608db7df7d860a3547; Expires=Fri, 24-Apr-20 17:03:00 GMT; Path=/
  • set-cookie: OAID=a32d8dd64ecb4a95ef3092870b2080ea; expires=Fri, 24-Apr-2020 17:03:00 GMT; Max-Age=31536000; path=/
  • set-cookie: _OXLIA[2202]=pqj0p0-326; expires=Sat, 25-May-2019 17:03:00 GMT; Max-Age=2592000; path=/

Anyone know how to fix this? The answer probably lies in this file:

lib/pear/HTTP/Request.php

Share this post


Link to post
Share on other sites

I don't have my domain in the conf cookie setting...does this matter? If I add it should I include www?

[openads]
installed=1
requireSSL=1
sslPort=443
language=en

[max]
requireSSL=1
sslPort=443

[database]
type=mysqli
host=localhost
port=3306

[cookie]
permCookieSeconds=31536000
maxCookieSize=2048
domain=
viewerIdDomain=
 

Share this post


Link to post
Share on other sites
6 hours ago, Artistan said:

our load balancer was forwarding to servers on port 80. had to add the `HTTP_FRONT_END_HTTPS` or similar for verifying SSL_REQUEST

Can you please tell me exactly what you added and where? That would be a huge help...thank you!

Share this post


Link to post
Share on other sites

Our load balancer forwards requests to the web servers via port 80 (insecure on the local network)

due to that, the web server + Revive does not automatically know that is should be serving secure links and cookies.

In order to resolve this we had to add a forwarded header to the load balancer that tells the server + Revive code that the connection is secure from the users browser.

search for `function setupConfigVariables` in the code to see what i am talking about, there are many different server settings to allow `$GLOBALS['_MAX']['SSL_REQUEST'] = true;`

Share this post


Link to post
Share on other sites

I found the code you mean, I just don't know exactly what you did to the code to change it. Here is my code:

function setupConfigVariables()
{
    $GLOBALS['_MAX']['MAX_DELIVERY_MULTIPLE_DELIMITER'] = '|';
    $GLOBALS['_MAX']['MAX_COOKIELESS_PREFIX'] = '__';
    $GLOBALS['_MAX']['thread_id'] = uniqid();

    // Set a flag if this request was made over an SSL connection (used more for delivery rather than UI)
    $GLOBALS['_MAX']['SSL_REQUEST'] = false;
    if (
        (!empty($_SERVER['SERVER_PORT']) && !empty($GLOBALS['_MAX']['CONF']['openads']['sslPort']) && ($_SERVER['SERVER_PORT'] == $GLOBALS['_MAX']['CONF']['openads']['sslPort'])) ||
        (!empty($_SERVER['HTTPS']) && ((strtolower($_SERVER['HTTPS']) == 'on') || ($_SERVER['HTTPS'] == 1))) ||
        (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && (strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https')) ||
        (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && (strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) == 'on')) ||
        (!empty($_SERVER['HTTP_FRONT_END_HTTPS']) && (strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) == 'on')) ||
        (!empty($_SERVER['FRONT-END-HTTPS']) && (strtolower($_SERVER['FRONT-END-HTTPS']) == 'on'))
    ) {
        // This request should be treated as if it was received over an SSL connection
        $GLOBALS['_MAX']['SSL_REQUEST'] = true;
    }

    // Maximum random number (use default if doesn't exist - eg the case when application is upgraded)
    $GLOBALS['_MAX']['MAX_RAND'] = isset($GLOBALS['_MAX']['CONF']['priority']['randmax']) ?
        $GLOBALS['_MAX']['CONF']['priority']['randmax'] : 2147483647;

        list($micro_seconds, $seconds) = explode(" ", microtime());
        $GLOBALS['_MAX']['NOW_ms'] = round(1000 *((float)$micro_seconds + (float)$seconds));

    // Always use UTC when outside the installer
    if (substr($_SERVER['SCRIPT_NAME'], -11) != 'install.php') {
        // Save server timezone for auto-maintenance
        $GLOBALS['serverTimezone'] = date_default_timezone_get();
        OA_setTimeZoneUTC();
    }
}
 

Share this post


Link to post
Share on other sites

Hi @scott001,

Yes, that what @Artistan is talking about.

So, for example, if you have a proxy server in front of Revive Adserver, and the proxy server is doing all the SSL, and then forwarding requests on to Revive Adserver over HTTP, then you could get your proxy server to inform Revive Adserver that it should act as though it's really operating on HTTPS (and not HTTP), by setting up your proxy server to send in an extra header in the request to Revive Adserver.

This could be, for example, by sending the HTTP_X_FORWARDED_PROTO header with value "https".

Or you could send the HTTP_X_FORWARDED_SSL header with value "on".

etc.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...