Fix bug with SameSite not being set

An issue in the code prevented the SameSite session cookie option from being set the first time we were reaching SSP when using PHP versions older than 7.3. This fixes #1320

Fix bug with SameSite not being set
An issue in the code prevented the SameSite session cookie option from being set the first time we were reaching SSP when using PHP versions older than 7.3. This fixes #1320
11659b79 · Jaime Pérez Crespo · f3d42c47 · 11659b79
Commit 11659b79 authored 4 years ago by Jaime Pérez Crespo
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -91,10 +91,6 @@ class SessionHandlerPHP extends SessionHandler
                    'samesite' => $params['samesite'],
                ]);
            } else {
-                /* in older versions of PHP we need a nasty hack to set RFC6265bis SameSite attribute */
-                if ($params['samesite'] !== null and !preg_match('/;\s+samesite/i', $params['path'])) {
-                    $params['path'] .= '; SameSite=' . $params['samesite'];
-                }
                session_set_cookie_params(
                    $params['lifetime'],
                    $params['path'],
@@ -322,6 +318,13 @@ class SessionHandlerPHP extends SessionHandler

        $ret['httponly'] = $config->getBoolean('session.phpsession.httponly', true);

+        if (version_compare(PHP_VERSION, '7.3.0', '<')) {
+            // in older versions of PHP we need a nasty hack to set RFC6265bis SameSite attribute
+            if ($ret['samesite'] !== null and !preg_match('/;\s+samesite/i', $ret['path'])) {
+                $ret['path'] .= '; SameSite=' . $ret['samesite'];
+            }
+        }
+
        return $ret;
    }