SimpleSAML_Session should set the auth token using the SimpleSAML\Utils\HTTP::setCookie(), instead of the setCookie() method provided by session handlers.

The SimpleSAML_SessionHandler::setCookie() method should be used only to set the session cookie, not random cookies. If we want cookies to have the same parameters as session cookies, we can always get the session parameters calling SimpleSAML_SessionHandler::getSessionParams() and pass them to SimpleSAML\Utils\HTTP::setCookie().