Checking of secure server connection with setting "session.cookie.secure = true" leads to unwanted behaviour on load balancer TLS-terminated environments, where the application server running SimpleSAMLphp sees internal http connections only and prevents setting cookie secure flag.
Please remove this check, because interpreting the secure flag on cookie should be left for the browser to deside. Or maybe even better add extra setting e.g. "behindsecureproxy", which can be used to fine tune the behaviour.
Checking of secure server connection with setting "session.cookie.secure = true" leads to unwanted behaviour on load balancer TLS-terminated environments, where the application server running SimpleSAMLphp sees internal http connections only and prevents setting cookie secure flag.
Please remove this check, because interpreting the secure flag on cookie should be left for the browser to deside. Or maybe even better add extra setting e.g. "behindsecureproxy", which can be used to fine tune the behaviour.