Setting secure cookies for phpsession, and added config parameters for setting cookie name and path

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@403 44740490-163a-0410-bde0-09ae8108e29a

Setting secure cookies for phpsession, and added config parameters for setting cookie name and path
e37cf3eb · Andreas Åkre Solberg · 6b3c70c0 · e37cf3eb · e37cf3eb · e37cf3eb
Commit e37cf3eb authored 17 years ago by Andreas Åkre Solberg
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -106,6 +106,9 @@ $config = array (
 	'session.duration'		=>  8 * (60*60), // 8 hours.
 	'session.requestcache'	=>  4 * (60*60), // 4 hours
 	
+	'session.phpsession.cookiename'  => null,
+	'session.phpsession.limitedpath' => false,
+	
 	/*
 	 * Languages available and what language is default
 	 */

--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -117,6 +117,9 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo {
 		}
 	}
 	
+	
+	
+	
 	public static function init($authenticated = false, $authority = null) {
 		
 		$preinstance = self::getInstance();

--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -31,6 +31,14 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 		 * started, and we should avoid calling session_start().
 		 */
 		if(session_id() === '') {
+			$config = SimpleSAML_Configuration::getInstance();
+			
+			$cookiepath = ($config->getValue('session.phpsession.limitedpath', FALSE) ? '/' . $config->getValue('baseurlpath') : '/');
+			session_set_cookie_params(0, $cookiepath, NULL, SimpleSAML_Utilities::isHTTPS());
+			
+			$cookiename = $config->getValue('session.phpsession.cookiename', NULL);
+			if (!empty($cookiename)) session_name($cookiename);
+			
 			session_start();
 		}
 	}

--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -60,6 +60,27 @@ class SimpleSAML_Utilities {
 	
 	}
 	
+	/**
+	 * This function checks if we should set a secure cookie.
+	 *
+	 * @return TRUE if the cookie should be secure, FALSE otherwise.
+	 */
+	public static function isHTTPS() {
+
+		if(!array_key_exists('HTTPS', $_SERVER)) {
+			/* Not a https-request. */
+			return FALSE;
+		}
+
+		if($_SERVER['HTTPS'] === 'off') {
+			/* IIS with HTTPS off. */
+			return FALSE;
+		}
+
+		/* Otherwise, HTTPS will be a non-empty string. */
+		return $_SERVER['HTTPS'] !== '';
+	}
+	
 	/**
 	 * Will return https://sp.example.org/universities/ruc/baz/simplesaml/saml2/SSOService.php
 	 */