Thanks for the bug report! You are correct, not only does that "session.referer_check" kill SAML, it also means that if you navigate to your Mahara site via a link (say, from an email), you get logged out.
... but that page also points out that the setting is only helpful if you've turned on session.use_trans_id. And we have always had session.use_trans_id turned off, therefore we don't also need session.referer_check.
Hi Jake,
Thanks for the bug report! You are correct, not only does that "session. referer_ check" kill SAML, it also means that if you navigate to your Mahara site via a link (say, from an email), you get logged out.
We put that in there because the patch was based on the recommendations in the PHP manual's "securing sessions" page: http:// php.net/ manual/ en/session. security. php
... but that page also points out that the setting is only helpful if you've turned on session. use_trans_ id. And we have always had session. use_trans_ id turned off, therefore we don't also need session. referer_ check.
So, I will push a patch to get rid of that.
Cheers,
Aaron