NATS5 Cookie Settings
As of NATS version 5.0.3.1
Modern browsers have added two new settings when websites provide a cookie: Secure and SameSite. This article will go over the configuration settings for these flags, and how they affect cookies for your affiliates and surfers.
Secure Cookies
If Secure
is set for a Cookie, it will only be transmitted by the browser back to NATS if the request is over a secure HTTPS connection. This ensures that the cookie, will not be transmitted over plain text, where its contents could be intercepted.
For more information on the Secure flag, you can reference the Secure section of Mozilla's Cookie Article.
The Secure Cookies settings can be accessed in the Cookie Settings heading of the Surfer section of the Configuration Admin. There are 6 settings and 3-4 options for each.
The options are:
- Use Secure if accessed over HTTPS - If the request is made over HTTPS, set Secure for the cookie. Otherwise don't. This is the default. This should be fine for most uses, if your sites aren't switching back and forth between http and https.
- Always Set Secure - Set the Secure flag whether or not NATS determines the request is over HTTPS. this means the cookie will not be sent by the browser if the request is over HTTP. This should be set if you are certain HTTPS is used everywhere, and do not want the cookies to be sent if they are not.
- Never Set Secure - Never set secure on cookies, so they will always be returned to NATS by the browser, whether or not the request is over HTTPS. This should be set if your sites change back and forth between HTTP and HTTPS (though we recommend moving them towards HTTPS everywhere).
- Use HTTP_COOKIE_SECURE/HTTP_SESSION_SECURE setting (for surfer and member configs). Use whatever is set for the main config setting for the cookie sub-types.
The settings are:
- HTTP_COOKIE_SECURE - Set security for regular cookies (which includes affiliate/admin cookies)
- HTTP_COOKIE_SECURE_SURFER - Set security for cookies for surfers
- HTTP_COOKIE_SECURE_MEMBER - Set security for cookies for members (there are currently no member cookies).
- HTTP_SESSION_SECURE - Set security for php session cookies (which includes affiliate/admin cookies)
- HTTP_SESSION_SECURE_SURFER - Set security for php session cookies for surfers
- HTTP_SESSION_SECURE_MEMBER - Set security for php session cookies for members (there are currently no member session cookies).
NATS defaults HTTP_COOKIE_SECURE and HTTP_SESSION_SECURE to Use Secure if accessed over HTTPS, and sets the surfer and member settings to follow those main settings. This setup should be fine for most cases as long as your NATS and tours do not switch back and forth between HTTP and HTTPS. Keep in mind the most important piece of information, the NATS code, will still be handled even if a cookie is not set, as long as the NATS code is passed through tour pages correctly.
SameSite Cookies
The Samesite
setting tells browsers when to send cookies in requests or redirects from third party sites. See Mozilla's SameSite Cookie Article for more technical information.
The Samesite Cookies settings can be accessed in the Cookie Settings heading of the Surfer section of the Configuration Admin. There are 6 settings and 4-5 options for each.
The options are:
- Strict -- Only allow cookies on requests and redirects sent by NATS to NATS. This means that requests from other sites -- including redirects -- will not include the cookies that were set by NATS.
- Lax -- Only allow cookies on redirects from other sites to NATS -- not requests. This means that if another site includes a banner from NATS, or an iFrame from NATS, NATS cookies will not be sent.
- None -- Allow NATS cookies on requests and redirects from other sites to NATS. This means that cookies created by NATS will always be sent to NATS from other sites. Note: this only works if Secure is on. If Secure is not set for a cookie, NATS will send Lax instead of None to avoid a browser error.
The settings are:
- HTTP_COOKIE_SAMESITE - Set SameSite for regular cookies (which includes affiliate/admin cookies)
- HTTP_COOKIE_SAMESITE_SURFER - Set SameSite for cookies for surfers
- HTTP_COOKIE_SAMESITE_MEMBER - Set SameSite for cookies for members (there are currently no member cookies).
- HTTP_SESSION_SAMESITE - Set SameSite for php session cookies (which includes affiliate/admin cookies)
- HTTP_SESSION_SAMESITE_SURFER - Set SameSite for php session cookies for surfers
- HTTP_SESSION_SECURE_MEMBER - Set SameSite for php session cookies for members (there are currently no member session cookies).
- Use HTTP_COOKIE_SAMESITE/HTTP_SESSION_SAMESITE setting (for surfer and member configs). Use whatever is set for the main config setting for the cookie sub-types.
For SameSite, the NATS config defaults to Strict
for regular cookies and sessions (which only includes affiliate/admin cookies), and Lax
for surfer and member cookies and sessions.
This means that by default redirects to nats for affiliates and admins will not include cookies, to provide extra security. While NATS includes protections against cross-site requests, the purpose of the SameSite setting was to block requests such as this. If your setup requires affiliates and admins to be logged when redirected from a separate site to NATS, you would need to set Lax
for those cookies/sessions. If you for some reason need to make includes of authenticated images or iframes to NATS for logged in admins/affiliates, you would need to set None for SameSite for these cookies, and also make sure you have HTTPS in use everywhere so that Secure will work properly.
By default redirects for surfers to nats will include cookies (Lax
, but requests from third-party sites (banner images, iframes) will not include cookies. If you are including banners, this should still work fine as long as you are continuing to pass the nats code through with the include. If you are using iframe includes (which are not supported by NATS), you would need to set None
for SameSite for these cookies, and also make sure you have HTTPS in use both on your NATS install and tours.