From f6c571ad5a3d9626b8889928918e48086415f2eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Sun, 10 May 2020 15:19:52 +0200
Subject: [PATCH] Fix bug with SameSite not being set

An issue in the code prevented the SameSite session cookie option from being set the first time we were reaching SSP when using PHP versions older than 7.3.

This fixes #1320
---
 lib/SimpleSAML/SessionHandlerPHP.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index c857df027..3a4f2ed18 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -90,10 +90,6 @@ class SessionHandlerPHP extends SessionHandler
                     'samesite' => $params['samesite'],
                 ]);
             } else {
-                /* in older versions of PHP we need a nasty hack to set RFC6265bis SameSite attribute */
-                if ($params['samesite'] !== null and !preg_match('/;\s+samesite/i', $params['path'])) {
-                    $params['path'] .= '; SameSite=' . $params['samesite'];
-                }
                 session_set_cookie_params(
                     $params['lifetime'],
                     $params['path'],
@@ -329,6 +325,13 @@ class SessionHandlerPHP extends SessionHandler
 
         $ret['httponly'] = $config->getBoolean('session.phpsession.httponly', true);
 
+        if (version_compare(PHP_VERSION, '7.3.0', '<')) {
+            // in older versions of PHP we need a nasty hack to set RFC6265bis SameSite attribute
+            if ($ret['samesite'] !== null and !preg_match('/;\s+samesite/i', $ret['path'])) {
+                $ret['path'] .= '; SameSite=' . $ret['samesite'];
+            }
+        }
+
         return $ret;
     }
 
-- 
GitLab