From bbec41dceca5af7f0b1d0093c98635edfb1f3fe0 Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Wed, 24 Mar 2021 18:03:43 +0100
Subject: [PATCH] Secure cookies by default

---
 config-templates/config.php              | 4 ++--
 docs/simplesamlphp-upgrade-notes-1.19.md | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/config-templates/config.php b/config-templates/config.php
index 389485e92..1571fc50e 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -566,7 +566,7 @@ $config = [
      * through https. If the user can access the service through
      * both http and https, this must be set to FALSE.
      */
-    'session.cookie.secure' => false,
+    'session.cookie.secure' => true,
 
     /*
      * Set the SameSite attribute in the cookie.
@@ -803,7 +803,7 @@ $config = [
     'language.cookie.name' => 'language',
     'language.cookie.domain' => null,
     'language.cookie.path' => '/',
-    'language.cookie.secure' => false,
+    'language.cookie.secure' => true,
     'language.cookie.httponly' => false,
     'language.cookie.lifetime' => (60 * 60 * 24 * 900),
     'language.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null,
diff --git a/docs/simplesamlphp-upgrade-notes-1.19.md b/docs/simplesamlphp-upgrade-notes-1.19.md
index 58bf2354e..b2cecfb79 100644
--- a/docs/simplesamlphp-upgrade-notes-1.19.md
+++ b/docs/simplesamlphp-upgrade-notes-1.19.md
@@ -5,3 +5,9 @@ The minimum PHP version required is now PHP 7.1.
 
 SAML 1 / Shib 1.3 support is now deprecated and will start logging notices
 when used. It will be removed in SimpleSAMLphp 2.0.
+
+SimpleSAMLphp 1.19 will automatically try to determine whether to set the sameSite-flag on cookies.
+Some browser require to set the Secure-flag as well for sameSite to work. Therefore, the default for
+the `session.cookie.secure` setting has been changed to TRUE. This will be the right setting for most
+setups anyway, however if you really need to use insecure cookies, you have to manually set it to false and
+figure out a value for `session.cookie.samesite` that works for your environment.
-- 
GitLab