From 344d075952c9343809f57f4e465504dd5e3068a4 Mon Sep 17 00:00:00 2001
From: Robin Wood <robin@digi.ninja>
Date: Tue, 21 May 2019 13:02:25 +0100
Subject: [PATCH] Don't include the port with the domain when setting the
 cookie (#202)

---
 samlsp/cookie.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/samlsp/cookie.go b/samlsp/cookie.go
index f05c0b20..e3e99c98 100644
--- a/samlsp/cookie.go
+++ b/samlsp/cookie.go
@@ -1,6 +1,7 @@
 package samlsp
 
 import (
+	"net"
 	"net/http"
 	"strings"
 	"time"
@@ -81,9 +82,14 @@ func (c ClientCookies) DeleteState(w http.ResponseWriter, r *http.Request, id st
 
 // SetToken assigns the specified token by setting a cookie.
 func (c ClientCookies) SetToken(w http.ResponseWriter, r *http.Request, value string, maxAge time.Duration) {
+	// Cookies should not have the port attached to them so strip it off
+	domain := c.Domain
+	if strings.Contains(domain, ":") {
+		domain, _, _ = net.SplitHostPort(domain)
+	}
 	http.SetCookie(w, &http.Cookie{
 		Name:     c.Name,
-		Domain:   c.Domain,
+		Domain:   domain,
 		Value:    value,
 		MaxAge:   int(maxAge.Seconds()),
 		HttpOnly: true,