We've got Secure Pages, Secure Pages Prevent Hijack, Ubercart, and the add-on Ubercart File Download module (among others) installed. After some tweaking, Secure Pages Prevent Hijack seems to be working pretty much as designed, except in one or two specific cases.
Our dblog reports errors periodically that "Secure Pages Prevent Hijack failed to set secure cookie." These are almost invariably associated either with a first-time login of a user that was created automatically through Ubercart, or with one of those users trying to access a purchased file download. Here is a sample log entry:
Type security
Date Thursday, February 9, 2012 - 09:24
User [username]
Location http://www.domain.tld/index.php?q=user&q=user
Referrer https://www.domain.tld/user
Message Secure Pages Prevent Hijack failed to set secure cookie.
Severity critical
Hostname 192.168.#.###There is a correct, real username in place of [username], and a correct IP address appears in Hostname.
Here is another one:
Type security
Date Thursday, February 9, 2012 - 05:31
User [username]
Location http://www.domain.tld/index.php?q=user/6323/edit&q=user%2F6323%2Fedit
Referrer https://www.domain.tld/user/6323/edit
Message Secure Pages Prevent Hijack failed to set secure cookie.
Severity critical
Hostname 192.168.#.###I notice that for some reason the user variable is getting duplicated in the "Location" in both cases. And that the Referrer is https while the Location is just plain http. We are running a mixed mode site.
My suspicion is that it has to do with the automated message going out to new users, and that the link generated by the variables there use the non-https version of the base_url variable. Or that I'm missing one or more additional paths that need to be added to the Secure Pages config. Or that the Ubercart File Download sub-module is doing somethng funky.
Regarding the base_url variable, in our settings.php file, we are using the following code:
$base_url = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') ? 'https://' : 'http://') . 'www.domain.tld';
This modified code is being used to fix some Ajax problems we were having with lookup fields when editing pages, as described here:
http://drupal.org/node/746264#comment-3152392
I wonder if I need to hard-code the https into the url's that go out with the new user registration emails, instead of leaving them to use variables built with base_url?
Here is our list of paths currently configured to require secure pages:
admin
admin/*
cart
cart/*
catalog
catalog*
catalog/*
cgi-bin/webscr
help
help/*
node/add*
node/*/edit
taxes/calculate
uc_paypal/ipn/*
uc_paypal/wps/*
uc_paypal/wps/complete/*
user
user/*
users/*
Any suggestions to get rid of this error in our dblog? Or should I perhaps just ignore it - it says it is "critical" but I don't know if it really is?
Phil.
Comments
Comment #1
bisonbleu commentedAnybody home? :-)
I got a similar error message when a user tried to edit their account profile.
Recent log entries (sorted desc):
- Session hijack attempt detected for user Eddie ...
- Secure Pages Prevent Hijack failed to set secure cookie.
The following pages are secured by the Secure Pages module
user*
cart/checkout*
uc_paypal*
Can someone help?
I've got registrations with online payments just starting... :-/
Ubercart 2.9
Secure Pages 6.x-1.9
Secure Pages Hijack Prevention 6.x-1.6
Comment #2
pkiff commentedI'm home, but have no solution. I've been pre-occupied with other things and this set of errors is not a show-stopper for us, so I am just living with it for now. In our case, the error is transient and difficult to predict/reproduce: it does not affect all orders.
A temporary fix might be to disable the Secure Page Hijack Prevention module, since I believe we did not experience this error until I enabled that module. (I am not saying the error is due to a fault in that module, but simply that you can disable the Hijack Prevention and your store will still run fine, whereas you really shouldn't disable Secure Pages for a site running Ubercart).
Phil.
Comment #3
bisonbleu commentedHey Phil, I understand. Like being stuck between a rock and a hard place.
I found a solution. And it is to forget about jit mix mode (http/https). Check out version 6.x-2.x-dev of Secure Pages which now allows to 'always use https for specific roles' (e.g. authenticated). In doing so, at least for my use case, the need for SPHP fades away. Works for me because buyers need to be logged in to even see the cart. I suppose this wouldn't work for anonymous checkout.
See this issue for more information: https://drupal.org/node/1145292