Allow "Secure" cookie attribute via HTTP on localhost (#2483)

exeba · Sebastiano Degan · tvdijen · tvdijen · commit c12a20c3ebd7 · 2025-07-10T16:58:07.000+02:00
* allow secure cookie on localhost

* allow ipv4 &amp; ipv6 loopback addresses

* Remove excess parenthesis

---------

Co-authored-by: Sebastiano Degan &lt;sebastiano@localhost.localdomain&gt;
Co-authored-by: Tim van Dijen &lt;tvdijen@gmail.com&gt;
diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
@@ -10,6 +10,7 @@ See the [upgrade notes](https://simplesamlphp.org/docs/stable/simplesamlphp-upgr
 Released TBD
 
 * Fix auth state AuthnInstant (#2478)
+* Allow "Secure" cookie attribute via HTTP on localhost (#2483)
 
 ## Version 2.3.8
 
diff --git a/src/SimpleSAML/SessionHandler.php b/src/SimpleSAML/SessionHandler.php
@@ -164,7 +164,7 @@ public function getCookieParams(): array
             'lifetime' => $config->getOptionalInteger('session.cookie.lifetime', 0),
             'path'     => $config->getOptionalString('session.cookie.path', '/'),
             'domain'   => $config->getOptionalString('session.cookie.domain', null),
-            'secure'   => $config->getOptionalBoolean('session.cookie.secure', $httpUtils->isHTTPS()),
+            'secure'   => $config->getOptionalBoolean('session.cookie.secure', $httpUtils->isSecureCookieAllowed()),
             'samesite' => $config->getOptionalString('session.cookie.samesite', null),
             'httponly' => true,
         ];
diff --git a/src/SimpleSAML/SessionHandlerPHP.php b/src/SimpleSAML/SessionHandlerPHP.php
@@ -190,8 +190,8 @@ public function getCookieSessionId(): ?string
         $session_cookie_params = session_get_cookie_params();
 
         $httpUtils = new Utils\HTTP();
-        if ($session_cookie_params['secure'] && !$httpUtils->isHTTPS()) {
-            throw new Error\Exception('Session start with secure cookie not allowed on http.');
+        if ($session_cookie_params['secure'] && !$httpUtils->isSecureCookieAllowed()) {
+            throw new Error\Exception('Session start with secure cookie not allowed on http (except on localhost).');
         }
 
         @session_start();
@@ -322,9 +322,9 @@ public function setCookie(string $sessionName, ?string $sessionID, ?array $cooki
         }
 
         $httpUtils = new Utils\HTTP();
-        if ($cookieParams['secure'] && !$httpUtils->isHTTPS()) {
+        if ($cookieParams['secure'] && !$httpUtils->isSecureCookieAllowed()) {
             throw new Error\CannotSetCookie(
-                'Setting secure cookie on plain HTTP is not allowed.',
+                'Setting secure cookie on plain HTTP (except on localhost) is not allowed.',
                 Error\CannotSetCookie::SECURE_COOKIE,
             );
         }
diff --git a/src/SimpleSAML/Utils/HTTP.php b/src/SimpleSAML/Utils/HTTP.php
@@ -1099,15 +1099,15 @@ public function setCookie(string $name, ?string $value, ?array $params = null, b
             $params = $default_params;
         }
 
-        // Do not set secure cookie if not on HTTPS
-        if ($params['secure'] && !$this->isHTTPS()) {
+        // Do not set secure cookie if not on HTTPS or localhost
+        if ($params['secure'] && !$this->isSecureCookieAllowed()) {
             if ($throw) {
                 throw new Error\CannotSetCookie(
-                    'Setting secure cookie on plain HTTP is not allowed.',
+                    'Setting secure cookie on plain HTTP (except on localhost) is not allowed.',
                     Error\CannotSetCookie::SECURE_COOKIE,
                 );
             }
-            Logger::warning('Error setting cookie: setting secure cookie on plain HTTP is not allowed.');
+            Logger::warning('Error setting cookie: setting secure cookie on plain HTTP (except on localhost) is not allowed.');
             return;
         }
 
@@ -1164,6 +1164,17 @@ public function setCookie(string $name, ?string $value, ?array $params = null, b
     }
 
 
+    /**
+     * Check if "Secure" attribute on cookies is supported
+     *
+     * @return boolean True "Secure" attribute can be set, false otherwise.
+     */
+    public function isSecureCookieAllowed(): bool
+    {
+        return $this->isHTTPS() || in_array($this->getSelfHost(), ['localhost', '127.0.0.1', '::1'], true);
+    }
+
+
     /**
      * Submit a POST form to a specific destination.
      *

Original file line number	Diff line number	Diff line change
`@@ -190,8 +190,8 @@ public function getCookieSessionId(): ?string`
`190`	`190`	`$session_cookie_params = session_get_cookie_params();`
`191`	`191`
`192`	`192`	`$httpUtils = new Utils\HTTP();`
`193`		`- if ($session_cookie_params['secure'] && !$httpUtils->isHTTPS()) {`
`194`		`- throw new Error\Exception('Session start with secure cookie not allowed on http.');`
	`193`	`+ if ($session_cookie_params['secure'] && !$httpUtils->isSecureCookieAllowed()) {`
	`194`	`+ throw new Error\Exception('Session start with secure cookie not allowed on http (except on localhost).');`
`195`	`195`	`}`
`196`	`196`
`197`	`197`	`@session_start();`
`@@ -322,9 +322,9 @@ public function setCookie(string $sessionName, ?string $sessionID, ?array $cooki`
`322`	`322`	`}`
`323`	`323`
`324`	`324`	`$httpUtils = new Utils\HTTP();`
`325`		`- if ($cookieParams['secure'] && !$httpUtils->isHTTPS()) {`
	`325`	`+ if ($cookieParams['secure'] && !$httpUtils->isSecureCookieAllowed()) {`
`326`	`326`	`throw new Error\CannotSetCookie(`
`327`		`- 'Setting secure cookie on plain HTTP is not allowed.',`
	`327`	`+ 'Setting secure cookie on plain HTTP (except on localhost) is not allowed.',`
`328`	`328`	`Error\CannotSetCookie::SECURE_COOKIE,`
`329`	`329`	`);`
`330`	`330`	`}`