If you see this error message, it is because you are running OpenFISMA in production mode on an insecure port (port 80 without SSL instead of port 443 with SSL).

This is the default configuration for OpenFISMA for security reasons.

To fix it, you can do one of the following:

1) For a production system, the recommended action is to enable SSL on your web server. This is a tricky process that I can't explain here, but google searches can provide details (e.g. http://www.securityfocus.com/infocus/1818). Endeavor Systems can also configure the web server for you as part of our installation and maintenance service package.

2) For personal usage of OpenFISMA (to evaluate, play around with, etc.), you can modify the system configuration to allow insecure communications. Edit the file at /application/config/app.conf and modify the line that says "session.cookie_secure = true" and change the value from true to false. You don't need to restart, just go back to the OpenFISMA login page and this error will go away.

This screenshot demonstrates:

Example

3) Another option for personal usage is to enable development mode. Development disables secure communications by default, and is not recommended for production systems. To enable development mode, open the /application/config/app.conf file and change the line "environment = production" to "environment = development". You don't need to restart, it will take effect immediately.