Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame Permalink
  • Jaime Pérez Crespo's avatar
    8b4b2138
    Do not attempt to set the session ID for transient sessions · 8b4b2138
    Jaime Pérez Crespo authored 
    It just doesn't make any sense. If we managed to get it from an existing cookie, it serves no purpose, as at this point we couldn't load the session anyway, and what we use to track users is the track ID, not the session ID. Additionally, since this is a transient session, we're not going to push the cookie to the browser (we might not even can do that), so it's really pointless to set the session ID.

This, additionally, was causing that the Session class would be unable to initialize and register a transient session if the issue that forced us to use a transient in the first place was an issue with the session handler (e.g. missing PHP extensions or dependencies, or connection failure to the backend, etc). Under such circumstances, the code removed here will not work either, since the session handler will continue to fail to initialize. This would cause the exception handler to jump in, completely losing control of the execution, and making it impossible to display the error to the user (since the transient session creation is never completed, it cannot be used later where it is needed in the SimpleSAML\Error\Error class).

This resolves #914.
    8b4b2138
    History
    Do not attempt to set the session ID for transient sessions
    Jaime Pérez Crespo authored 
    It just doesn't make any sense. If we managed to get it from an existing cookie, it serves no purpose, as at this point we couldn't load the session anyway, and what we use to track users is the track ID, not the session ID. Additionally, since this is a transient session, we're not going to push the cookie to the browser (we might not even can do that), so it's really pointless to set the session ID.

This, additionally, was causing that the Session class would be unable to initialize and register a transient session if the issue that forced us to use a transient in the first place was an issue with the session handler (e.g. missing PHP extensions or dependencies, or connection failure to the backend, etc). Under such circumstances, the code removed here will not work either, since the session handler will continue to fail to initialize. This would cause the exception handler to jump in, completely losing control of the execution, and making it impossible to display the error to the user (since the transient session creation is never completed, it cannot be used later where it is needed in the SimpleSAML\Error\Error class).

This resolves #914.
Code owners
Assign users and groups as approvers for specific file changes. Learn more.