From 47e9bdc458dadab4cc68ab6c0e331af180d8adc0 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Wed, 27 May 2015 15:38:01 +0000
Subject: [PATCH] Set PHP session cookie configuation to be true by default.

It's obviously more secure and therefore better as a default.
---
 config-templates/config.php          | 2 +-
 lib/SimpleSAML/SessionHandlerPHP.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config-templates/config.php b/config-templates/config.php
index 3104e4672..b45616bad 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -310,7 +310,7 @@ $config = array(
      */
     'session.phpsession.cookiename' => null,
     'session.phpsession.savepath' => null,
-    'session.phpsession.httponly' => false,
+    'session.phpsession.httponly' => true,
 
     /*
      * Option to override the default settings for the auth token cookie
diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 9857d8430..04988b8c3 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -211,7 +211,7 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 			$ret['path'] = $config->getBoolean('session.phpsession.limitedpath', FALSE) ? '/' . $config->getBaseURL() : '/';
 		}
 
-		$ret['httponly'] = $config->getBoolean('session.phpsession.httponly', FALSE);
+		$ret['httponly'] = $config->getBoolean('session.phpsession.httponly', TRUE);
 
 		return $ret;
 	}
-- 
GitLab