From c4ae073b792c29662f280f871f06783fff188b94 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 15 Feb 2010 09:46:55 +0000
Subject: [PATCH] Disable cookie secure-flag by default.
This patch removes the autodetection of the secure flag for the cookie
based on whether the user is accessing simpleSAMLphp through https. The
reason for this is that the user can often access an SP through both
https and http. If the user starts with http, everything will work, but
if the user starts with https, the user will get two separate cookies,
one for https and one for http.
This patch introduces a new configuration option in config.php:
/*
* Set the secure flag in the cookie.
*
* Set this to TRUE if the user only accesses your service
* through https. If the user can access the service through
* both http and https, this must be set to FALSE.
*/
'session.cookie.secure' => FALSE,
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2180 44740490-163a-0410-bde0-09ae8108e29a
---
config-templates/config.php | 10 ++++++++++
lib/SimpleSAML/SessionHandlerCookie.php | 26 +++----------------------
lib/SimpleSAML/SessionHandlerPHP.php | 3 ++-
3 files changed, 15 insertions(+), 24 deletions(-)
diff --git a/config-templates/config.php b/config-templates/config.php
index 4e0ca044c..f4105766f 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -144,6 +144,16 @@ $config = array (
*/
'session.datastore.timeout' => (4*60*60), // 4 hours
+
+ /*
+ * Set the secure flag in the cookie.
+ *
+ * Set this to TRUE if the user only accesses your service
+ * through https. If the user can access the service through
+ * both http and https, this must be set to FALSE.
+ */
+ 'session.cookie.secure' => FALSE,
+
/*
* Options to override the default settings for php sessions.
*/
diff --git a/lib/SimpleSAML/SessionHandlerCookie.php b/lib/SimpleSAML/SessionHandlerCookie.php
index 83a462315..0ced9a384 100644
--- a/lib/SimpleSAML/SessionHandlerCookie.php
+++ b/lib/SimpleSAML/SessionHandlerCookie.php
@@ -44,30 +44,10 @@ extends SimpleSAML_SessionHandler {
/* We don't have a valid session. Create a new session id. */
$this->session_id = self::createSessionID();
- setcookie('SimpleSAMLSessionID', $this->session_id, 0, '/',
- NULL, self::secureCookie());
- }
-
-
- /**
- * This function checks if we should set a secure cookie.
- *
- * @return TRUE if the cookie should be secure, FALSE otherwise.
- */
- private static function secureCookie() {
-
- if(!array_key_exists('HTTPS', $_SERVER)) {
- /* Not a https-request. */
- return FALSE;
- }
-
- if($_SERVER['HTTPS'] === 'off') {
- /* IIS with HTTPS off. */
- return FALSE;
- }
- /* Otherwise, HTTPS will be a non-empty string. */
- return $_SERVER['HTTPS'] !== '';
+ $config = SimpleSAML_Configuration::getInstance();
+ $secureFlag = $config->getBoolean('session.cookie.secure', FALSE);
+ setcookie('SimpleSAMLSessionID', $this->session_id, 0, '/', NULL, $secureFlag);
}
diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 40af336ac..b404c82ca 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -34,7 +34,8 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
$config = SimpleSAML_Configuration::getInstance();
$cookiepath = ($config->getBoolean('session.phpsession.limitedpath', FALSE) ? '/' . $config->getBaseURL() : '/');
- session_set_cookie_params(0, $cookiepath, NULL, SimpleSAML_Utilities::isHTTPS());
+ $secureFlag = $config->getBoolean('session.cookie.secure', FALSE);
+ session_set_cookie_params(0, $cookiepath, NULL, $secureFlag);
$cookiename = $config->getString('session.phpsession.cookiename', NULL);
if (!empty($cookiename)) session_name($cookiename);
--
GitLab