From 11659b79ca68cc893479c0f14e6a971aeaa1b2b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Sun, 10 May 2020 15:19:52 +0200
Subject: [PATCH] Fix bug with SameSite not being set

An issue in the code prevented the SameSite session cookie option from being set the first time we were reaching SSP when using PHP versions older than 7.3.

This fixes #1320
---
 lib/SimpleSAML/SessionHandlerPHP.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index d6e6d15e4..b81b58e45 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -91,10 +91,6 @@ class SessionHandlerPHP extends SessionHandler
                     'samesite' => $params['samesite'],
                 ]);
             } else {
-                /* in older versions of PHP we need a nasty hack to set RFC6265bis SameSite attribute */
-                if ($params['samesite'] !== null and !preg_match('/;\s+samesite/i', $params['path'])) {
-                    $params['path'] .= '; SameSite=' . $params['samesite'];
-                }
                 session_set_cookie_params(
                     $params['lifetime'],
                     $params['path'],
@@ -322,6 +318,13 @@ class SessionHandlerPHP extends SessionHandler
 
         $ret['httponly'] = $config->getBoolean('session.phpsession.httponly', true);
 
+        if (version_compare(PHP_VERSION, '7.3.0', '<')) {
+            // in older versions of PHP we need a nasty hack to set RFC6265bis SameSite attribute
+            if ($ret['samesite'] !== null and !preg_match('/;\s+samesite/i', $ret['path'])) {
+                $ret['path'] .= '; SameSite=' . $ret['samesite'];
+            }
+        }
+
         return $ret;
     }
 
-- 
GitLab