diff --git a/config/install/simplesamlphp_auth.settings.yml b/config/install/simplesamlphp_auth.settings.yml
index 0d57d52..4e441b5 100644
--- a/config/install/simplesamlphp_auth.settings.yml
+++ b/config/install/simplesamlphp_auth.settings.yml
@@ -23,3 +23,5 @@ sync:
user_name: true
autoenablesaml: false
debug: false
+secure: false
+httponly: false
\ No newline at end of file
diff --git a/config/schema/simplesamlphp_auth.schema.yml b/config/schema/simplesamlphp_auth.schema.yml
index 241e859..5838f76 100644
--- a/config/schema/simplesamlphp_auth.schema.yml
+++ b/config/schema/simplesamlphp_auth.schema.yml
@@ -82,3 +82,9 @@ simplesamlphp_auth.settings:
debug:
type: boolean
label: 'Expand the level of Drupal logging to include debugging information'
+ secure:
+ type: boolean
+ label: 'Cookie only transmitted over HTTPS'
+ httponly:
+ type: boolean
+ label: 'Cookie only accessible over HTTP protocol'
\ No newline at end of file
diff --git a/src/Controller/SimplesamlphpAuthController.php b/src/Controller/SimplesamlphpAuthController.php
index 22ba23c..7b0ada1 100644
--- a/src/Controller/SimplesamlphpAuthController.php
+++ b/src/Controller/SimplesamlphpAuthController.php
@@ -160,7 +160,9 @@ class SimplesamlphpAuthController extends ControllerBase implements ContainerInj
if (isset($redirect)) {
// Set the cookie so we can deliver the user to the place they started.
// @TODO probably a more symfony way of doing this
- setrawcookie('simplesamlphp_auth_returnto', $redirect, time() + 60 * 60);
+ $cookie_secure = $this->config->get('secure');
+ $cookie_httponly = $this->config->get('httponly');
+ setrawcookie('simplesamlphp_auth_returnto', $redirect, time() + 60 * 60, "", "", $cookie_secure, $cookie_httponly);
}
// User is logged in to the SimpleSAMLphp IdP, but not to Drupal.
diff --git a/src/Form/BasicSettingsForm.php b/src/Form/BasicSettingsForm.php
index 3095fef..79b3946 100644
--- a/src/Form/BasicSettingsForm.php
+++ b/src/Form/BasicSettingsForm.php
@@ -85,6 +85,24 @@ class BasicSettingsForm extends ConfigFormBase {
'#description' => $this->t('Determines whether or not the module should automatically create/register new Drupal accounts for users that authenticate using SimpleSAMLphp. Unless you\'ve done some custom work to provision Drupal accounts with the necessary authmap entries you will want this checked.
NOTE: If unchecked each user must already have been provisioned a Drupal account correctly linked to the SAML authname attribute (e.g. by creating Drupal users with "Enable this user to leverage SAML authentication" checked). Otherwise they will receive a notice and be denied access.'),
];
+ $form['security'] = [
+ '#type' => 'fieldset',
+ '#title' => $this->t('Security'),
+ '#collapsible' => FALSE,
+ ];
+ $form['security']['secure'] = [
+ '#type' => 'checkbox',
+ '#title' => $this->t('Cookie only transmitted over HTTPS'),
+ '#default_value' => $config->get('secure'),
+ '#description' => $this->t('Cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists.'),
+ ];
+ $form['security']['httponly'] = [
+ '#type' => 'checkbox',
+ '#title' => $this->t('Cookie only accessible over HTTP protocol'),
+ '#default_value' => $config->get('httponly'),
+ '#description' => $this->t('Cookie will be made accessible only through the HTTP protocol. This means that the cookie won\'t be accessible by scripting languages, such as JavaScript.'),
+ ];
+
return parent::buildForm($form, $form_state);
}
@@ -99,6 +117,8 @@ class BasicSettingsForm extends ConfigFormBase {
$config->set('auth_source', $form_state->getValue('auth_source'));
$config->set('login_link_display_name', $form_state->getValue('login_link_display_name'));
$config->set('debug', $form_state->getValue('debug'));
+ $config->set('secure', $form_state->getValue('secure'));
+ $config->set('httponly', $form_state->getValue('httponly'));
$config->set('register_users', $form_state->getValue('register_users'));
$config->set('header_no_cache', $form_state->getValue('header_no_cache'));
$config->save();