From 8756835bacc7057734aba7fe349b534e63261253 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Pe=CC=81rez?= <jaime.perez@uninett.no> Date: Sat, 2 Jul 2016 17:20:56 +0200 Subject: [PATCH] SimpleSAML_Session should set the auth token using the SimpleSAML\Utils\HTTP::setCookie(), instead of the setCookie() method provided by session handlers. The SimpleSAML_SessionHandler::setCookie() method should be used only to set the session cookie, not random cookies. If we want cookies to have the same parameters as session cookies, we can always get the session parameters calling SimpleSAML_SessionHandler::getSessionParams() and pass them to SimpleSAML\Utils\HTTP::setCookie(). --- lib/SimpleSAML/Session.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php index 153478a0d..7f482a651 100644 --- a/lib/SimpleSAML/Session.php +++ b/lib/SimpleSAML/Session.php @@ -541,9 +541,10 @@ class SimpleSAML_Session $this->setRememberMeExpire(); } else { - $sessionHandler->setCookie( + SimpleSAML\Utils\HTTP::setCookie( $globalConfig->getString('session.authtoken.cookiename', 'SimpleSAMLAuthToken'), - $this->authToken + $this->authToken, + $sessionHandler->getCookieParams() ); } } -- GitLab