Secure flag missing on lemonldappdata cookie and during logout
Environment
LemonLDAP::NG version: 2.0.8
Summary
-
When setting pdata, the Secure flag isn't set either, which means most Issuer flows will break when Google rolls out SameSite changes
-
When clearing the SSO (
lemonldap
) cookie, the secure flag is never set either
# Create an obsolete cookie to remove it
$req->addCookie(
$self->cookie(
name => $self->conf->{cookieName},
value => 0,
domain => $self->conf->{domain},
secure => 0,
expires => 'Wed, 21 Oct 2015 00:00:00 GMT'
)
) unless ($preserveCookie);
Possible fixes
Set the secure
flag according to the securedCookie
parameter.