Secure cookies by default

bbec41dc · Tim van Dijen · 716ecdb1 · bbec41dc · bbec41dc
Commit bbec41dc authored 4 years ago by Tim van Dijen
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -566,7 +566,7 @@ $config = [
     * through https. If the user can access the service through
     * both http and https, this must be set to FALSE.
     */
-    'session.cookie.secure' => false,
+    'session.cookie.secure' => true,
    /*
     * Set the SameSite attribute in the cookie.
@@ -803,7 +803,7 @@ $config = [
    'language.cookie.name' => 'language',
    'language.cookie.domain' => null,
    'language.cookie.path' => '/',
-    'language.cookie.secure' => false,
+    'language.cookie.secure' => true,
    'language.cookie.httponly' => false,
    'language.cookie.lifetime' => (60 * 60 * 24 * 900),
    'language.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null,

--- a/docs/simplesamlphp-upgrade-notes-1.19.md
+++ b/docs/simplesamlphp-upgrade-notes-1.19.md
@@ -5,3 +5,9 @@ The minimum PHP version required is now PHP 7.1.
 SAML 1 / Shib 1.3 support is now deprecated and will start logging notices
 when used. It will be removed in SimpleSAMLphp 2.0.
+SimpleSAMLphp 1.19 will automatically try to determine whether to set the sameSite-flag on cookies.
+Some browser require to set the Secure-flag as well for sameSite to work. Therefore, the default for
+the `session.cookie.secure` setting has been changed to TRUE. This will be the right setting for most
+setups anyway, however if you really need to use insecure cookies, you have to manually set it to false and
+figure out a value for `session.cookie.samesite` that works for your environment.