Cookie sent to untrusted domain with CDA
Assume CDA is enabled and test.example.net is a trusted domain,
user asking for http://test.example.net/ will be redirected to portal url, then back to http://test.example.net/?lemonldap=xxx, then to http://test.example.net/ with a cookie 'lemonldap' whose domain is example.net : here is the problem, example.net is not in trusted domain, so hacker.example.net can get the cookie value.
We can either check that cookie domain is in trusted domain, or simply set cookie domain as hostname. As trustedDomains is not in LL::NG::Handler conf, I prefer the last solution.