Comment 1 for bug 1566366

Hi Jake,

Thanks for the bug report! You are correct, not only does that "session.referer_check" kill SAML, it also means that if you navigate to your Mahara site via a link (say, from an email), you get logged out.

We put that in there because the patch was based on the recommendations in the PHP manual's "securing sessions" page: http://php.net/manual/en/session.security.php

... but that page also points out that the setting is only helpful if you've turned on session.use_trans_id. And we have always had session.use_trans_id turned off, therefore we don't also need session.referer_check.

So, I will push a patch to get rid of that.

Cheers,
Aaron