NATS5 Cookie Settings
Modern browsers have added two new settings when websites provide a cookie: Secure and SameSite. This article will go over the configuration settings for these flags, and how they affect cookies for your affiliates and surfers.
Secure Cookies
If Secure
is set for a Cookie, it will only be transmitted by the browser back to NATS if the request is over a secure HTTPS connection. This ensures that the cookie, will not be transmitted over plain text, where its contents could be intercepted.
For more information on the Secure flag, you can reference the Secure section of Mozilla's Cookie Article.
The Secure Cookies settings can be accessed in the Cookie Settings heading of the Surfer section of the Configuration Admin. There are 6 settings and 3-4 options for each.
The options are:
- Use Secure if accessed over HTTPS - If the request is made over HTTPS, set Secure for the cookie. Otherwise don't. This is the default. This should be fine for most uses, if your sites aren't switching back and forth between http and https.
- Always Set Secure - Set the Secure flag whether or not NATS determines the request is over HTTPS. this means the cookie will not be sent by the browser if the request is over HTTP. This should be set if you are certain HTTPS is used everywhere, and do not want the cookies to be sent if they are not.
- Never Set Secure - Never set secure on cookies, so they will always be returned to NATS by the browser, whether or not the request is over HTTPS. This should be set if your sites change back and forth between HTTP and HTTPS (though we recommend moving them towards HTTPS everywhere).
- Use HTTP_COOKIE_SECURE/HTTP_SESSION_SECURE setting (for surfer and member configs). Use whatever is set for the main config setting for the cookie sub-types.
The settings are:
- HTTP_COOKIE_SECURE - Set security for regular cookies (which includes affiliate/admin cookies)
- HTTP_COOKIE_SECURE_SURFER - Set security for cookies for surfers
- HTTP_COOKIE_SECURE_MEMBER - Set security for cookies for members (there are currently no member cookies).
- HTTP_SESSION_SECURE - Set security for php session cookies (which includes affiliate/admin cookies)
- HTTP_SESSION_SECURE_SURFER - Set security for php session cookies for surfers
- HTTP_SESSION_SECURE_MEMBER - Set security for php session cookies for members (there are currently no member session cookies).
NATS defaults HTTP_COOKIE_SECURE and HTTP_SESSION_SECURE to Use Secure if accessed over HTTPS, and sets the surfer and member settings to follow those main settings. This setup should be fine for most cases as long as your NATS and tours do not switch back and forth between HTTP and HTTPS. Keep in mind the most important piece of information, the NATS code, will still be handled even if a cookie is not set, as long as the NATS code is passed through tour pages correctly.
SameSite Cookies
The Samesite
setting tells browsers when to send cookies in requests or redirects from third party sites. See Mozilla's SameSite Cookie Article for more technical information.
The Samesite Cookies settings can be accessed in the Cookie Settings heading of the Surfer section of the Configuration Admin. There are 6 settings and 4-5 options for each.