From 7e392041ddaae8d8c712ffc06d9ef660d82fd6e3 Mon Sep 17 00:00:00 2001
From: Andjelko Horvat <comel@vingd.com>
Date: Thu, 28 Jul 2011 15:48:34 +0000
Subject: [PATCH] SimpleSAML_SessionHandler::setCookie: deny setting secure
 cookie on http (issue 416).

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2876 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/SessionHandler.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/SimpleSAML/SessionHandler.php b/lib/SimpleSAML/SessionHandler.php
index 363ce2098..684e49bb7 100644
--- a/lib/SimpleSAML/SessionHandler.php
+++ b/lib/SimpleSAML/SessionHandler.php
@@ -136,6 +136,12 @@ abstract class SimpleSAML_SessionHandler {
 
 		$params = $this->getCookieParams();
 
+		// Do not set secure cookie if not on HTTPS
+		if ($params['secure'] && !SimpleSAML_Utilities::isHTTPS()) {
+			SimpleSAML_Logger::warning('Setting secure cookie on http not allowed.');
+			return;
+		}
+
 		if ($value === NULL) {
 			$expire = time() - 365*24*60*60;
 		} elseif ($params['lifetime'] === 0) {
@@ -146,9 +152,12 @@ abstract class SimpleSAML_SessionHandler {
 
 		$version = explode('.', PHP_VERSION);
 		if ((int)$version[0] === 5 && (int)$version[1] < 2) {
-			setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure']);
+			$success = setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure']);
 		} else {
-			setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+			$success = setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
+		}
+		if (!$success) {
+			throw new SimpleSAML_Error_Exception('Error setting cookie - headers already sent.');
 		}
 	}
 
-- 
GitLab