From 728f30d78a6fb73003dfddfdab2ce53ee0f20856 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Fri, 8 Feb 2008 12:14:32 +0000
Subject: [PATCH] SessionHandlerCookie: Make cookies secure on a
 https-connection.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@271 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/SessionHandlerCookie.php | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/lib/SimpleSAML/SessionHandlerCookie.php b/lib/SimpleSAML/SessionHandlerCookie.php
index f4e69f5c4..b4a3c9ec0 100644
--- a/lib/SimpleSAML/SessionHandlerCookie.php
+++ b/lib/SimpleSAML/SessionHandlerCookie.php
@@ -47,7 +47,30 @@ extends SimpleSAML_SessionHandler {
 
 		/* We don't have a valid session. Create a new session id. */
 		$this->session_id = self::createSessionID();
-		setcookie('SimpleSAMLSessionID', $this->session_id, 0, '/');
+		setcookie('SimpleSAMLSessionID', $this->session_id, 0, '/',
+			NULL, self::secureCookie(), TRUE);
+	}
+
+
+	/**
+	 * This function checks if we should set a secure cookie.
+	 *
+	 * @return TRUE if the cookie should be secure, FALSE otherwise.
+	 */
+	private static function secureCookie() {
+
+		if(!array_key_exists('HTTPS', $_SERVER)) {
+			/* Not a https-request. */
+			return FALSE;
+		}
+
+		if($_SERVER['HTTPS'] === 'off') {
+			/* IIS with HTTPS off. */
+			return FALSE;
+		}
+
+		/* Otherwise, HTTPS will be a non-empty string. */
+		return $_SERVER['HTTPS'] !== '';
 	}
 
 
-- 
GitLab