I have an application that uses saml authentication and passes the response back via a cookie to the return URL the SP provides. The php code looks like this
setcookie('auth', $cred, time() + 30, parse_url($location, PHP_URL_HOST));
error_log($_COOKIE['auth']);
header('Location: ' . $location, true, 303);
die();
The redirect works fine but the cookie is not set. This is confirmed both in php as shown above, and in my application using document.cookies
I've exported the HAR to view the request and it actually looks like the cookie is being set, but it's still not accessible via document.cookie. The way it is supposed to work is that the application changes the window.location to the php file that authenticates, sets the cookie and redirects to the return parameter. Judging by the fact that the request is sent with the cookie, I'd guess that it is being set, but I can't seem to access it.
{
"startedDateTime": "2017-10-27T18:05:36.538Z",
"time": 271.7059999888301,
"request": {
"method": "GET",
"url": "https://supportworkslab.sw.test/sw/selfservice/sso/saml_auth.php?wssinstance=selfservice&returnto=http%3A%2F%2Flocalhost%2Fsw%2Fselfservice",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate, br"
},
{
"name": "Host",
"value": "supportworkslab.sw.test"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.9"
},
{
"name": "Upgrade-Insecure-Requests",
"value": "1"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"
},
{
"name": "Accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
},
{
"name": "Referer",
"value": "http://localhost/sw/selfservice/"
},
{
"name": "Cookie",
"value": "auth=eyJzdWNjZXNzIjoiQXV0aGVudGljYXRpb24gc3VjY2VzcyEiLCJjdXN0aWQiOiJhbGFuYyIsInNlc3Npb25JZCI6IjU5ZjM2MGRjLTBhOTI5NWFlLTQxYzEiLCJ3ZWJGbGFncyI6IjIxNDc0ODk1NTEiLCJjYWxsQ2xhc3MiOiJJbmNpZGVudCIsImFzc2lnbkdyb3VwIjoiU1VQUE9SVCIsImFzc2lnbkFuYWx5c3QiOiIifQ%3D%3D; SimpleSAMLAuthToken=_04a2be772f96fad7c5e2452846c05df5cbd570305e; SimpleSAML=62d6b2ebea7f66b0360a328dcb4f77a7; PHPSESSID=k9hpb09i3omt43bv7gireeuid0"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Cache-Control",
"value": "no-cache"
}
],
"queryString": [
{
"name": "wssinstance",
"value": "selfservice"
},
{
"name": "returnto",
"value": "http%3A%2F%2Flocalhost%2Fsw%2Fselfservice"
}
],
"cookies": [
{
"name": "auth",
"value": "eyJzdWNjZXNzIjoiQXV0aGVudGljYXRpb24gc3VjY2VzcyEiLCJjdXN0aWQiOiJhbGFuYyIsInNlc3Npb25JZCI6IjU5ZjM2MGRjLTBhOTI5NWFlLTQxYzEiLCJ3ZWJGbGFncyI6IjIxNDc0ODk1NTEiLCJjYWxsQ2xhc3MiOiJJbmNpZGVudCIsImFzc2lnbkdyb3VwIjoiU1VQUE9SVCIsImFzc2lnbkFuYWx5c3QiOiIifQ%3D%3D",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SimpleSAMLAuthToken",
"value": "_04a2be772f96fad7c5e2452846c05df5cbd570305e",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "SimpleSAML",
"value": "62d6b2ebea7f66b0360a328dcb4f77a7",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "PHPSESSID",
"value": "k9hpb09i3omt43bv7gireeuid0",
"expires": null,
"httpOnly": false,
"secure": false
}
],
"headersSize": 996,
"bodySize": 0
},
"response": {
"status": 303,
"statusText": "See Other",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Date",
"value": "Fri, 27 Oct 2017 18:05:36 GMT"
},
{
"name": "Server",
"value": "Apache"
},
{
"name": "Content-Type",
"value": "text/html"
},
{
"name": "Location",
"value": "http://localhost/sw/selfservice"
},
{
"name": "Set-Cookie",
"value": "SimpleSAML=62d6b2ebea7f66b0360a328dcb4f77a7; path=/; HttpOnly"
},
{
"name": "Set-Cookie",
"value": "PHPSESSID=k9hpb09i3omt43bv7gireeuid0; path=/; HttpOnly"
},
{
"name": "Set-Cookie",
"value": "auth=eyJzdWNjZXNzIjoiQXV0aGVudGljYXRpb24gc3VjY2VzcyEiLCJjdXN0aWQiOiJhbGFuYyIsInNlc3Npb25JZCI6IjU5ZjM3NTcwLTBhZTJmNzAzLTNmMTIiLCJ3ZWJGbGFncyI6IjIxNDc0ODk1NTEiLCJjYWxsQ2xhc3MiOiJJbmNpZGVudCIsImFzc2lnbkdyb3VwIjoiU1VQUE9SVCIsImFzc2lnbkFuYWx5c3QiOiIifQ%3D%3D; expires=Fri, 27-Oct-2017 18:06:36 GMT; Max-Age=60; domain=localhost"
},
{
"name": "Cache-Control",
"value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
},
{
"name": "Content-Security-Policy",
"value": "default-src 'self' *.sw.test; frame-src *.twitter.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.twitter.com *.twimg.com; style-src 'self' 'unsafe-inline' *.twitter.com *.twimg.com; img-src 'self' data: *.twimg.com *.twitter.com;"
},
{
"name": "Connection",
"value": "Keep-Alive"
},
{
"name": "Keep-Alive",
"value": "timeout=5, max=100"
},
{
"name": "Content-Length",
"value": "0"
},
{
"name": "Expires",
"value": "Thu, 19 Nov 1981 08:52:00 GMT"
}
],
"cookies": [
{
"name": "SimpleSAML",
"value": "62d6b2ebea7f66b0360a328dcb4f77a7",
"path": "/",
"expires": null,
"httpOnly": true,
"secure": false
},
{
"name": "PHPSESSID",
"value": "k9hpb09i3omt43bv7gireeuid0",
"path": "/",
"expires": null,
"httpOnly": true,
"secure": false
},
{
"name": "auth",
"value": "eyJzdWNjZXNzIjoiQXV0aGVudGljYXRpb24gc3VjY2VzcyEiLCJjdXN0aWQiOiJhbGFuYyIsInNlc3Npb25JZCI6IjU5ZjM3NTcwLTBhZTJmNzAzLTNmMTIiLCJ3ZWJGbGFncyI6IjIxNDc0ODk1NTEiLCJjYWxsQ2xhc3MiOiJJbmNpZGVudCIsImFzc2lnbkdyb3VwIjoiU1VQUE9SVCIsImFzc2lnbkFuYWx5c3QiOiIifQ%3D%3D",
"domain": "localhost",
"expires": "2017-10-27T18:06:36.254Z",
"httpOnly": false,
"secure": false
}
],
"content": {
"size": 0,
"mimeType": "text/html",
"compression": 0
},
"redirectURL": "http://localhost/sw/selfservice",
"headersSize": 1104,
"bodySize": 0,
"_transferSize": 1104
},
$_COOKIEshows the incoming cookies. To diagnose the issue you should use you browser developer tools.wget -S) in your question; elaborate on domain name etc.Set-Cookie: auth=eyJ...%3D%3D; expires=Fri, 27-Oct-2017 18:06:36 GMT; Max-Age=60; domain=localhost. Please check the linked question.