SimpleSAML\Error\CriticalConfigurationError: The configuration is invalid: Setting secure cookie on plain HTTP is not allowed.

[Itay malka]

Hey,

Can anyone help please in error?

SimpleSAML \ Error \ CriticalConfigurationError: The configuration is invalid: Setting secure cookie on plain HTTP is not allowed.

Itay

[Tim van Dijen]

Hi Itay,

You are setting `session.cookie.secure = true` or `language.cookie.secure = true`, while you are running your webserver without TLS.

If you are running behind a reverse proxy, you have to properly configure the `basepathurl` to the full public url.

- Tim

Op dinsdag 7 juni 2022 om 08:33:45 UTC+2 schreef Itay malka:

[Itay malka]

thanks a lot for the answer,
Is this the right way?

'baseurlpath' => 'https://***********/simplesaml/',

        'session.cookie.secure = true',

        'language.cookie.secure = true',

ב-יום שלישי, 7 ביוני 2022 בשעה 10:31:10 UTC+3, tvd...@gmail.com כתב/ה:

[Tim van Dijen]

Yes, that will make SimpleSAMLphp _think_ it's running on https and should take care of the error.

Op dinsdag 7 juni 2022 om 09:38:18 UTC+2 schreef Itay malka:

[Itay malka]

Thank you,

No error, but I get it on the page

This site can not be reached ********* refused to connect.

Try:

Checking the connection

Checking the proxy and the firewall

ERR_CONNECTION_REFUSED

ב-יום שלישי, 7 ביוני 2022 בשעה 10:47:42 UTC+3, tvd...@gmail.com כתב/ה:

[Tim van Dijen]

Hmmm, I don't get it.. Are you running SimpleSAMLphp on HTTP?

Op dinsdag 7 juni 2022 om 09:53:10 UTC+2 schreef Itay malka:

[Itay malka]

Hey,

Thanks again

I enter the address with http and it works, but constantly moves me to https

I can not understand why

Can anyone help please?

Regards

Itay

ב-יום שלישי, 7 ביוני 2022 בשעה 11:23:46 UTC+3, tvd...@gmail.com כתב/ה:

[Tim van Dijen]

Change the baseurlpath to start with http://*** and set 'session.cookie.secure = false' and  'language.cookie.secure = false'.

Note that it's not recommended to run on plain http.

Op dinsdag 7 juni 2022 om 10:29:23 UTC+2 schreef Itay malka:

[Itay malka]

now i get this error

Configuration errorSimpleSAMLphp appears to be misconfigured.

If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator:

TR8d187d6bCopy to clipboard

Debug information

The debug information below may be of interest to the administrator / help desk:

SimpleSAML\Error\CriticalConfigurationError: The configuration is invalid: Setting secure cookie on plain HTTP is not allowed.

Backtrace: 3 lib/SimpleSAML/Session.php:306 (SimpleSAML\Session::getSessionFromRequest) 2 modules/core/www/frontpage_welcome.php:5 (require) 1 lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process) 0 www/module.php:10 (N/A)

ב-יום שלישי, 7 ביוני 2022 בשעה 11:31:40 UTC+3, tvd...@gmail.com כתב/ה:

[Tim van Dijen]

That's the same error again..  Please set `session.cookie.secure` to `false`.

Op dinsdag 7 juni 2022 om 10:40:29 UTC+2 schreef Itay malka:

[Itay malka]

We went back to the same problem
I defined it like this:
'baseurlpath' => 'https: // ******** / simplesaml /',
         'session.cookie.secure = false',
         'language.cookie.secure = true',
When I turn to an address with a standard http the main page works, but when I try to click on something it takes me to https

ב-יום שלישי, 7 ביוני 2022 בשעה 11:53:48 UTC+3, tvd...@gmail.com כתב/ה:

[Itay malka]

Can anyone help please?

ב-יום שלישי, 7 ביוני 2022 בשעה 12:36:24 UTC+3, ‪Itay malka‬‏ כתב/ה:

[Peter Brand]

* Itay malka <skyit...@gmail.com> [2022-06-07 11:36]:

> We went back to the same problem

What is this for, some kind of local/internal test system?
Note that you can configure such systems with TLS nonetheless
(e.g. using a self-signed certificate).

No web server with SimpleSAMLphp installed (a security software
implementing multiple security protocols) should be running with plain
HTTP only. Probably not even with plain HTTP at all.

So either configure your web server properly *with* TLS -- or remove
all signs of https:// and "secure" cookies from your SSP configuration
and run a worthless and completely insecure deployment on plain HTTP
with no TLS.

-peter

[Jørn Skifter Andersen]

Hi

I solved this by chaning the baseurlpath to. This forces simplesaml to use https. And it handles if you have multiple sites on the same server and are behhind a proxy. 

'baseurlpath' => 'https://' . $_SERVER['HTTP_HOST'] . '/simplesaml/',

[Cris Linden]

Note also that one way the SessionHandler determines whether your server is using https is the Util method HTTP::getServerHttps(), which checks the value of $_SERVER['HTTPS']. 

If you've set the baseurlpath correctly and are still getting the CriticalConfigurationError, check your $_SERVER array; it's possible, depending on your server configuration, that the HTTPS key isn't even present.  If that's the case, you can work around it by setting the value explicitly before you initialize the Auth object.

$_SERVER['HTTPS'] = true; // or you can determine the value dynamically if you're really not sure

$as = \SimpleSAML\Auth\Simple('myAuthSource');