Who is "responsible" for the AuthToken cookie?

[Dev Master]

Hello everybody,

We are a SAML2 SP and our client integrates into us as a SAML2 IdP.

Things are going well, but we get the very occasional warning of
"missing AuthToken cookie" in the SimpleSAML log.

This AuthToken cookie warning seems to always be connected with (in the PHP error log):

"PHP Fatal error:  Uncaught ErrorException: session_id():
Cannot change session id when headers already sent in /var/www/my-vhost/laravel/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php:192".

But my question is simply (I think) for someone familiar with the SAML flow:

[QUESTION] Is the AuthToken cookie something that the IdP should be sending to the SP? Or does the SP generate this?

Basically, is "missing AuthToken cookie" the problem of the SP maintainers or the IdP maintainers?

Kind regards,

Daniel

[Peter Schober]

* Dev Master <devm...@inspireemail.co.uk> [2020-11-25 14:46]:

> This AuthToken cookie warning seems to always be connected with (in the PHP
> error log):
> "

> *PHP Fatal error: Uncaught ErrorException: session_id():Cannot change

> session id when headers already sent in

> /var/www/my-vhost/laravel/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/SessionHandlerPHP.php:192*
> ".

That suggests a programming error on your side when integrating SSP
with your application. ("Cannot change session id when headers already sent")

> But my question is simply (I think) for someone familiar with the SAML flow:
>
> [QUESTION] Is the AuthToken cookie something that the IdP should be sending
> to the SP? Or does the SP generate this?

HTTP Cookies are set by your server in responses to the subject's web
browser and read when the browser sends then back with further
requests later.
They're never sent from an entity (say, the IDP) to another (the SP).

Also, the AuthToken cookie is an implementation details of
SimpleSAMLphp and doesn't concern or affect anyone/anything else.

HTH,
-peter