From fa7f513eb980046f7a6cfa1e0f7b011de4f83db0 Mon Sep 17 00:00:00 2001
From: Angelo Bottazzo <angelo.bottazzo@robyone.net>
Date: Fri, 22 Dec 2023 09:01:04 +0100
Subject: [PATCH] Applied corrections from
 https://github.com/WPGov/wp-spid-italia/issues/43

---
 wp-spid-italia.php | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/wp-spid-italia.php b/wp-spid-italia.php
index d7ce9a0..39005ad 100644
--- a/wp-spid-italia.php
+++ b/wp-spid-italia.php
@@ -47,8 +47,9 @@ function() { include( plugin_dir_path( __FILE__ ) . 'admin/settings.php'); spid_
 add_action( 'init', function() {
     
     if ( session_status() == PHP_SESSION_NONE ) {
-        session_start();
-    }
+        session_set_cookie_params(['samesite' => 'None']); 
+        session_start(['cookie_secure' => true,'cookie_httponly' => true]);
+   }
     
     if ( isset( $_GET['spid_metadata'] ) && $_GET['spid_metadata'] == spid_get_metadata_token()  ) {
 	    header( 'Content-type: text/xml' );
@@ -245,11 +246,18 @@ function spid_handle() {
         }
 
         if ( isset( $_GET['spid_idp'] ) && $_GET['spid_idp'] != '' ) {
-            if ( $sp->isAuthenticated() ) {
-                session_destroy();
-		        $_SESSION = NULL;
-                session_start();
-            }
+              if ( $sp->isAuthenticated() ) {
+                unset($_SESSION['RequestID']);
+		        unset($_SESSION['idpName']);
+		        unset($_SESSION['idpEntityId']);
+		        unset($_SESSION['acsUrl']);
+		        unset($_SESSION['spidSession']['idp']);
+		        unset($_SESSION['spidSession']);
+		        
+		        unset($_SESSION['inResponseTo']);
+		        unset($_SESSION['spid_redirect_to']);
+		        unset($_SESSION['sloUrl']);
+           }
             if ( isset( $_GET['spid_redirect_to'] ) ) {
                 $_SESSION['spid_redirect_to'] = $_GET['spid_redirect_to'];
             }