NATS5 Cookie Settings

From TMM Wiki
NATS 5
About NATS 5
NATS Requirements
NATS5 Changelog
NATS5 Cookie Settings
Members Section
Members Management
Adding a Member
View Member Details
Restricted Values
OpenID Connect
Mod Auth OpenIDC
    Adtool
GET /adtool/admin
GET /adtool/adtools
GET /adtool/adtool
GET /adtool/adtool-rules
GET /adtool/adtool-rule
GET /adtool/categories
GET /adtool/field-options
GET /adtool/field-types
GET /adtool/groups
GET /adtool/search
GET /adtool/templates
GET /adtool/types
GET /adtool/type
POST /adtool/adtool
POST /adtool/adtool-rule
POST /adtool/category
POST /adtool/field
POST /adtool/field-option
POST /adtool/group
POST /adtool/import
POST /adtool/type
PATCH /adtool/adtool
PATCH /adtool/adtool-group
PATCH /adtool/adtool-rule
PATCH /adtool/category
PATCH /adtool/field
PATCH /adtool/field-option
PATCH /adtool/group
PATCH /adtool/move
PATCH /adtool/restore-adtool
PATCH /adtool/restore-category
PATCH /adtool/restore-field
PATCH /adtool/restore-field-option
PATCH /adtool/restore-type
PATCH /adtool/type
DELETE /adtool/adtool
DELETE /adtool/adtool-rule
DELETE /adtool/category
DELETE /adtool/field
DELETE /adtool/field-option
DELETE /adtool/group
DELETE /adtool/type
    Affiliate
DELETE /affiliate/account-rep
DELETE /affiliate/account-type
DELETE /affiliate/affiliate
DELETE /affiliate/doc
DELETE /affiliate/group
DELETE /affiliate/permissions
GET /affiliate/account-changes
GET /affiliate/account-types
GET /affiliate/admin-settings
GET /affiliate/campaigns
GET /affiliate/current
GET /affiliate/current-permissions
GET /affiliate/docs
GET /affiliate/doc
GET /affiliate/groups
GET /affiliate/group
GET /affiliate/hits
GET /affiliate/link-styles
GET /affiliate/loginids
GET /affiliate/loginlog
GET /affiliate/manual-payout
GET /affiliate/news-sections
GET /affiliate/notes
GET /affiliate/notices
GET /affiliate/override
GET /affiliate/payout
GET /affiliate/payment-periods
GET /affiliate/payvia-types
GET /affiliate/payvia-type
GET /affiliate/permissions
GET /affiliate/programcampaigns
GET /affiliate/referrer
GET /affiliate/referring-urls
GET /affiliate/reps
GET /affiliate/rest-methods
GET /affiliate/search
GET /affiliate/search-limited
GET /affiliate/settings
GET /affiliate/skins
GET /affiliate/soap-functions
GET /affiliate/status
PATCH /affiliate/adminsettings
PATCH /affiliate/account-change
PATCH /affiliate/account-type
PATCH /affiliate/account-type-permissions
PATCH /affiliate/admin-setting
PATCH /affiliate/affiliate-account-type
PATCH /affiliate/affiliate-group
PATCH /affiliate/allsettings
PATCH /affiliate/account-rep
PATCH /affiliate/avatar
PATCH /affiliate/customs
PATCH /affiliate/defaults
PATCH /affiliate/details
PATCH /affiliate/override
PATCH /affiliate/password
PATCH /affiliate/payment-period
PATCH /affiliate/payvia
PATCH /affiliate/payvia-info
PATCH /affiliate/permissions
PATCH /affiliate/referrer
PATCH /affiliate/reset-api
PATCH /affiliate/reset-rss
PATCH /affiliate/reset-tos
PATCH /affiliate/rest-permissions
PATCH /affiliate/restore
PATCH /affiliate/restore-account-type
PATCH /affiliate/settings
PATCH /affiliate/soap-permissions
PATCH /affiliate/status
POST /affiliate/account-type
POST /affiliate/add
POST /affiliate/doc
POST /affiliate/group
POST /affiliate/invoice
POST /affiliate/manual-sale
POST /affiliate/note
    Biller
GET /biller/available
GET /biller/partner-available
GET /biller/billerdata
GET /biller/cascades
GET /biller/cascades-available
GET /biller/cascade-count
GET /biller/cascade-history
GET /biller/cascade-rules
GET /biller/cascade-rule
GET /biller/cascade-step-count
GET /biller/cascade-steps
GET /biller/cascade-detail
GET /biller/cascade-list
GET /biller/count
GET /biller/detail
GET /biller/fees
GET /biller/partner-fees
GET /biller/last_poll
GET /biller/partner-last-poll
GET /biller/list
GET /biller/partner-detail
GET /biller/partner-list
GET /biller/partner-shortnames
GET /biller/process_types
GET /biller/partner-process-types
GET /biller/shortnames
GET /biller/transaction_types
GET /biller/partner-transaction-types
GET /biller/taxes
POST /biller/add
POST /biller/cascade
POST /biller/cascade-rule
POST /biller/cascade-step
POST /biller/partner
PATCH /biller/cascade
PATCH /biller/cascade-rule
PATCH /biller/cascade-step
PATCH /biller/cascade-steps-reorder
PATCH /biller/fee
PATCH /biller/partner-fee
PATCH /biller/restore
PATCH /biller/restore-cascade
PATCH /biller/restore-partner
PATCH /biller/setting
PATCH /biller/partner-setting
PATCH /biller/tax
DELETE /biller/biller
DELETE /biller/cascade
DELETE /biller/cascade-rule
DELETE /biller/cascade-step
DELETE /biller/fee
DELETE /biller/partner-fee
DELETE /biller/partner
DELETE /biller/tax
    Codes
GET /codes/affiliate-codes
GET /codes/decode
GET /codes/linkcodes
GET /codes/strack
    Config
DELETE /config/setting
GET /config/section
GET /config/sections
PATCH /config/affiliate_default
PATCH /config/section
    Include
DELETE /include/include
DELETE /include/step
GET /include/include
GET /include/includes
GET /include/templates
PATCH /include/include
PATCH /include/restore
PATCH /include/step
POST /include/include
POST /include/step
    Mailing
DELETE /mailing/mailing
DELETE /mailing/mailing-rule
DELETE /mailing/queue
GET /mailing/mailing
GET /mailing/mailings
GET /mailing/mailing-rules
GET /mailing/mailing-rule
GET /mailing/queue
GET /mailing/removelist
PATCH /mailing/mailing
PATCH /mailing/mailing-rule
PATCH /mailing/removelist
PATCH /mailing/removelist-queue
PATCH /mailing/resend-queue
PATCH /mailing/restore-queue
PATCH /mailing/send-mailing
PATCH /mailing/send-test-mailing
POST /mailing/mailing
POST /mailing/mailing-rule
POST /mailing/removelist
    Maintenance
DELETE /maintenance/log
DELETE /maintenance/cache
GET /maintenance/admin-actions
GET /maintenance/log
GET /maintenance/logs
GET /maintenance/nats
GET /maintenance/report
GET /maintenance/report-progress
GET /maintenance/reports
GET /maintenance/server
GET /maintenance/table
GET /maintenance/tables
GET /maintenance/table-clean-count
GET /maintenance/table-clean-progress
PATCH /maintenance/log
PATCH /maintenance/report
PATCH /maintenance/table
    Member
GET /member/available_flags
GET /member/encryptusername
GET /member/authstring
GET /member/details
GET /member/flags
GET /member/loginlog
GET /member/matching
GET /member/notes
GET /member/notices
GET /member/restricted-values
GET /member/search
GET /member/suggestedcanceloffers
GET /member/surfer-actions
PATCH /member/details
PATCH /member/expiration
PATCH /member/expiremanual
PATCH /member/resend-transaction-email
PATCH /member/resend-transaction-postback
PATCH /member/restricted-value
PATCH /member/forget
PATCH /member/lock
PATCH /member/unlock
POST /member/flag
POST /member/login
POST /member/note
POST /member/restricted-value
DELETE /member/flag
DELETE /member/restricted-value
    Message
DELETE /message/message
DELETE /message/permanent
GET /message/count
GET /message/messages
GET /message/view
PATCH /message/read
PATCH /message/unread
PATCH /message/undelete
POST /message/message
    News
DELETE /news/entry
DELETE /news/section
GET /news/entry
GET /news/news
GET /news/sections
PATCH /news/entry
POST /news/entry
POST /news/section
    Notification
DELETE /notification/notification
DELETE /notification/permanent
GET /notification/count
GET /notification/notifications
GET /notification/view
PATCH /notification/read
PATCH /notification/unread
PATCH /notification/undelete
    Option
GET /option/options
GET /option/rule
PATCH /option/rule
PATCH /option/text
POST /option/rule
    Payment
DELETE /payment/invoice
DELETE /payment/payout-period
DELETE /payment/payvia-field
DELETE /payment/payvia-field-mc
DELETE /payment/payvia-rule
GET /payment/dump-format
GET /payment/dump-formats
GET /payment/invoices
GET /payment/payments
GET /payment/payment-dumps
GET /payment/payment-dump
GET /payment/payment-search
GET /payment/payvia
GET /payment/payvias
GET /payment/payvia-fields
GET /payment/payvia-field-mcs
GET /payment/payout-period
GET /payment/payout-periods
GET /payment/payvia-rules
GET /payment/payvia-rule
GET /payment/payviarule
PATCH /payment/copy-dump-format
PATCH /payment/default-payout-period
PATCH /payment/dump-format
PATCH /payment/duplicate-payvia
PATCH /payment/invoice
PATCH /payment/payment
PATCH /payment/payment-paid
PATCH /payment/payment-store
PATCH /payment/payment-unstore
PATCH /payment/payments
PATCH /payment/payments-unstore
PATCH /payment/payout-period
PATCH /payment/payout-period-affiliates
PATCH /payment/payvia
PATCH /payment/payvia-field
PATCH /payment/payvia-fields-reorder
PATCH /payment/payvia-field-mc
PATCH /payment/payvia-field-mcs-reorder
PATCH /payment/payvia-rule
PATCH /payment/payviarule
PATCH /payment/restore-payout-period
PATCH /payment/restore-payvia-field
PATCH /payment/restore-payvia-field-mc
POST /payment/check-dump
POST /payment/dump-format
POST /payment/import-dump
POST /payment/invoice
POST /payment/payout-period
POST /payment/payvia
POST /payment/payvia-field
POST /payment/payvia-field-mc
POST /payment/payvia-rule
    Program
DELETE /program/program
DELETE /program/payout-change
DELETE /program/payout-change-tier
GET /program/additional-payout-change-targets
GET /program/affiliate-available
GET /program/detail
GET /program/list
GET /program/options
GET /program/payout-changes
GET /program/redirect-available
GET /program/sites
GET /program/tours
GET /program/types
PATCH /program/default_payout
PATCH /program/details
PATCH /program/disable_affiliate
PATCH /program/disable_tour
PATCH /program/enable_affiliate
PATCH /program/enable_site
PATCH /program/enable_tour
PATCH /program/move-payout-change
PATCH /program/payout-change
PATCH /program/payout-change-tier
POST /program/new
POST /program/payout-change
POST /program/payout-change-tier
    Report
GET /report/affiliate-ratios
GET /report/hits
GET /report/hit-totals
GET /report/profitloss
GET /report/profit-loss
GET /report/fields
GET /report/focus
GET /report/focuses
GET /report/groups
GET /report/perspective
GET /report/perspectives
GET /report/report
GET /report/subscription
GET /report/surfer
GET /report/surferaction
GET /report/transactionpayouts
GET /report/transactions
GET /report/transaction
GET /report/report-widget
GET /report/widgets
GET /report/widget
GET /report/widget-info
GET /report/views
POST /report/focus
POST /report/group
POST /report/perspective
PATCH /report/focus
PATCH /report/focus-enabled
PATCH /report/focus-default
PATCH /report/focuses-reorder
PATCH /report/perspective
PATCH /report/perspective-group
PATCH /report/report-widget
PATCH /report/widget
DELETE /report/focus
    Reward
DELETE /reward/category
DELETE /reward/purchase
DELETE /reward/point
DELETE /reward/reward
GET /reward/categories
GET /reward/points
GET /reward/purchases
GET /reward/rewards
PATCH /reward/move-point
PATCH /reward/point
PATCH /reward/reward
PATCH /reward/ship-purchase
PATCH /reward/unship-purchase
POST /reward/category
POST /reward/point
POST /reward/reward
    Service
GET /service/check-functions
GET /service/condition
GET /service/countries
GET /service/country
GET /service/datetime
GET /service/languages
GET /service/periods
GET /service/ping
GET /service/project
GET /service/rule-condition-data
GET /service/rule-info
GET /service/stats-breakdowns
GET /service/timezone
GET /service/timestamp
POST /service/sendemail
    Site
GET /site/base-templates
GET /site/billers
GET /site/cookies
GET /site/coupon
GET /site/coupons
GET /site/coupon-revisions
GET /site/email-settings
GET /site/groups
GET /site/option
GET /site/options
GET /site/options-available
GET /site/option-fields
GET /site/option-rules
GET /site/option-rule
GET /site/option-type
GET /site/option-types
GET /site/programs
GET /site/redirect
GET /site/redirects
GET /site/redirect-rules
GET /site/redirect-rule
GET /site/site-list
GET /site/site
GET /site/site-notices
GET /site/site-partner
GET /site/site-partners
GET /site/site-type
GET /site/sites
GET /site/template
GET /site/templates
GET /site/template-sections
GET /site/template-sites
GET /site/tour
GET /site/tours
GET /site/tour-emails
GET /site/tour-notices
POST /site/coupon
POST /site/group
POST /site/option
POST /site/option-rule
POST /site/redirect
POST /site/redirect-rule
POST /site/site-partner
POST /site/site-tour
POST /site/copy-template
POST /site/tour
PATCH /site/cookie
PATCH /site/coupon
PATCH /site/duplicate-option
PATCH /site/email-settings
PATCH /site/group
PATCH /site/move
PATCH /site/option
PATCH /site/option-rule
PATCH /site/redirect
PATCH /site/redirect-rule
PATCH /site/reset-coupon
PATCH /site/restore-group
PATCH /site/restore-option
PATCH /site/restore-redirect
PATCH /site/restore-site
PATCH /site/restore-site-partner
PATCH /site/restore-tour
PATCH /site/site
PATCH /site/site-partner
PATCH /site/template
PATCH /site/tour
DELETE /site/cookie
DELETE /site/group
DELETE /site/option
DELETE /site/option-rule
DELETE /site/site
DELETE /site/site-partner
DELETE /site/redirect
DELETE /site/redirect-rule
DELETE /site/template
DELETE /site/tour
DELETE /site/tour-field
    Skin
DELETE /skin/skin
DELETE /skin/template
GET /skin/colors
GET /skin/export
GET /skin/skins
GET /skin/sections
GET /skin/templates
GET /skin/template
PATCH /skin/colors
PATCH /skin/flush
PATCH /skin/skin
PATCH /skin/template
POST /skin/copy-template
POST /skin/import
POST /skin/skin
POST /skin/template

This feature is available as of NATS version 5.0.3.1

Modern browsers have added two new settings when websites provide a cookie: Secure and SameSite. This article will go over the configuration settings for these flags, and how they affect cookies for your affiliates and surfers.

Secure Cookies

If Secure is set for a Cookie, it will only be transmitted by the browser back to NATS if the request is over a secure HTTPS connection. This ensures that the cookie, will not be transmitted over plain text, where its contents could be intercepted.

For more information on the Secure flag, you can reference the Secure section of Mozilla's Cookie Article.

The Secure Cookies settings can be accessed in the Cookie Settings heading of the Surfer section of the Configuration Admin. There are 6 settings and 3-4 options for each.

The options are:

  • Use Secure if accessed over HTTPS - If the request is made over HTTPS, set Secure for the cookie. Otherwise don't. This is the default. This should be fine for most uses, if your sites aren't switching back and forth between http and https.
  • Always Set Secure - Set the Secure flag whether or not NATS determines the request is over HTTPS. this means the cookie will not be sent by the browser if the request is over HTTP. This should be set if you are certain HTTPS is used everywhere, and do not want the cookies to be sent if they are not.
  • Never Set Secure - Never set secure on cookies, so they will always be returned to NATS by the browser, whether or not the request is over HTTPS. This should be set if your sites change back and forth between HTTP and HTTPS (though we recommend moving them towards HTTPS everywhere).
  • Use HTTP_COOKIE_SECURE/HTTP_SESSION_SECURE setting (for surfer and member configs). Use whatever is set for the main config setting for the cookie sub-types.

The settings are:

  • HTTP_COOKIE_SECURE - Set security for regular cookies (which includes affiliate/admin cookies)
    • HTTP_COOKIE_SECURE_SURFER - Set security for cookies for surfers
    • HTTP_COOKIE_SECURE_MEMBER - Set security for cookies for members (there are currently no member cookies).
  • HTTP_SESSION_SECURE - Set security for php session cookies (which includes affiliate/admin cookies)
    • HTTP_SESSION_SECURE_SURFER - Set security for php session cookies for surfers
    • HTTP_SESSION_SECURE_MEMBER - Set security for php session cookies for members (there are currently no member session cookies).

NATS defaults HTTP_COOKIE_SECURE and HTTP_SESSION_SECURE to Use Secure if accessed over HTTPS, and sets the surfer and member settings to follow those main settings. This setup should be fine for most cases as long as your NATS and tours do not switch back and forth between HTTP and HTTPS. Keep in mind the most important piece of information, the NATS code, will still be handled even if a cookie is not set, as long as the NATS code is passed through tour pages correctly.

SameSite Cookies

The Samesite setting tells browsers when to send cookies in requests or redirects from third party sites. See Mozilla's SameSite Cookie Article for more technical information.

The Samesite Cookies settings can be accessed in the Cookie Settings heading of the Surfer section of the Configuration Admin. There are 6 settings and 4-5 options for each.

The options are:

  • Strict -- Only allow cookies on requests and redirects sent by NATS to NATS. This means that requests from other sites -- including redirects -- will not include the cookies that were set by NATS.
  • Lax -- Only allow cookies on redirects from other sites to NATS -- not requests. This means that if another site includes a banner from NATS, or an iFrame from NATS, NATS cookies will not be sent.
  • None -- Allow NATS cookies on requests and redirects from other sites to NATS. This means that cookies created by NATS will always be sent to NATS from other sites. Note: this only works if Secure is on. If Secure is not set for a cookie, NATS will send Lax instead of None to avoid a browser error.

The settings are:

  • HTTP_COOKIE_SAMESITE - Set SameSite for regular cookies (which includes affiliate/admin cookies)
    • HTTP_COOKIE_SAMESITE_SURFER - Set SameSite for cookies for surfers
    • HTTP_COOKIE_SAMESITE_MEMBER - Set SameSite for cookies for members (there are currently no member cookies).
  • HTTP_SESSION_SAMESITE - Set SameSite for php session cookies (which includes affiliate/admin cookies)
    • HTTP_SESSION_SAMESITE_SURFER - Set SameSite for php session cookies for surfers
    • HTTP_SESSION_SECURE_MEMBER - Set SameSite for php session cookies for members (there are currently no member session cookies).
  • Use HTTP_COOKIE_SAMESITE/HTTP_SESSION_SAMESITE setting (for surfer and member configs). Use whatever is set for the main config setting for the cookie sub-types.

For SameSite, the NATS config defaults to Strict for regular cookies and sessions (which only includes affiliate/admin cookies), and Lax for surfer and member cookies and sessions.

This means that by default redirects to nats for affiliates and admins will not include cookies, to provide extra security. While NATS includes protections against cross-site requests, the purpose of the SameSite setting was to block requests such as this. If your setup requires affiliates and admins to be logged when redirected from a separate site to NATS, you would need to set Lax for those cookies/sessions. If you for some reason need to make includes of authenticated images or iframes to NATS for logged in admins/affiliates, you would need to set None for SameSite for these cookies, and also make sure you have HTTPS in use everywhere so that Secure will work properly.

By default redirects for surfers to nats will include cookies (Lax, but requests from third-party sites (banner images, iframes) will not include cookies. If you are including banners, this should still work fine as long as you are continuing to pass the nats code through with the include. If you are using iframe includes (which are not supported by NATS), you would need to set None for SameSite for these cookies, and also make sure you have HTTPS in use both on your NATS install and tours.