SimpleSAML_SessionHandler::setCookie: deny setting secure cookie on http (issue 416).

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2876 44740490-163a-0410-bde0-09ae8108e29a

SimpleSAML_SessionHandler::setCookie: deny setting secure cookie on http (issue 416).
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2876 44740490-163a-0410-bde0-09ae8108e29a
7e392041 · Andjelko Horvat · 8821f75a · 7e392041
Commit 7e392041 authored 13 years ago by Andjelko Horvat
--- a/lib/SimpleSAML/SessionHandler.php
+++ b/lib/SimpleSAML/SessionHandler.php
@@ -136,6 +136,12 @@ abstract class SimpleSAML_SessionHandler {
 		$params = $this->getCookieParams();
+		// Do not set secure cookie if not on HTTPS
+		if ($params['secure'] && !SimpleSAML_Utilities::isHTTPS()) {
+			SimpleSAML_Logger::warning('Setting secure cookie on http not allowed.');
+			return;
+		}
 		if ($value === NULL) {
 			$expire = time() - 365*24*60*60;
 		} elseif ($params['lifetime'] === 0) {
@@ -146,9 +152,12 @@ abstract class SimpleSAML_SessionHandler {
 		$version = explode('.', PHP_VERSION);
 		if ((int)$version[0] === 5 && (int)$version[1] < 2) {
-			setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure']);
+			$success = setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure']);
 		} else {
-			setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+			$success = setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+		}
+		if (!$success) {
+			throw new SimpleSAML_Error_Exception('Error setting cookie - headers already sent.');
 		}
 	}