From 8756835bacc7057734aba7fe349b534e63261253 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez?= <jaime.perez@uninett.no>
Date: Sat, 2 Jul 2016 17:20:56 +0200
Subject: [PATCH] SimpleSAML_Session should set the auth token using the
 SimpleSAML\Utils\HTTP::setCookie(), instead of the setCookie() method
 provided by session handlers.

The SimpleSAML_SessionHandler::setCookie() method should be used only to set the session cookie, not random cookies. If we want cookies to have the same parameters as session cookies, we can always get the session parameters calling SimpleSAML_SessionHandler::getSessionParams() and pass them to SimpleSAML\Utils\HTTP::setCookie().
---
 lib/SimpleSAML/Session.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index 153478a0d..7f482a651 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -541,9 +541,10 @@ class SimpleSAML_Session
 
             $this->setRememberMeExpire();
         } else {
-            $sessionHandler->setCookie(
+            SimpleSAML\Utils\HTTP::setCookie(
                 $globalConfig->getString('session.authtoken.cookiename', 'SimpleSAMLAuthToken'),
-                $this->authToken
+                $this->authToken,
+                $sessionHandler->getCookieParams()
             );
         }
     }
-- 
GitLab