Session cookie not bound to the correct domain

[fmeschbe]

I have a setup, where a single vhosted TwoFactorAuth is serving multiple vhost servers. In this case the cookies must be bound to the protected vhost instead of the TwoFactorAuth vhost.

Looks like this line in login.php :

$domain = ($_SERVER['HTTP_HOST'] !== 'localhost') ? $_SERVER['SERVER_NAME'] : false;

is checking for the correct Host request header but then is using the SERVER_NAME instead, which seems wrong. I guess the more correct code would be:

$domain = (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] !== 'localhost') ? $_SERVER['HTTP_HOST'] : false;