From 08ae7dfdb65eac00d4ff6a562348832fa0c28e34 Mon Sep 17 00:00:00 2001
From: Silas <silas@mailcamp.nl>
Date: Thu, 7 May 2020 14:13:43 +0200
Subject: [PATCH] fixed warning when Warning: session_create_id(): Failed to
 create ID (#1291)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fixed warning when Warning: session_create_id(): Failed to create new ID in /var/ssosp/lib/SimpleSAML/SessionHandlerPHP.php

* Use session_create_id() unconditionally

In master, we require PHP 7.2, which is guaranteed to provide `session_create_id()`. Therefore, we don't need the if clause any longer. Add also a warning when `session_create_id()` fails, and fall back gracefully to our old way to create session IDs.

Co-authored-by: Jaime PĂ©rez Crespo <jaime.perez@uninett.no>
---
 lib/SimpleSAML/SessionHandlerPHP.php | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 0a646c58a..d6e6d15e4 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -166,15 +166,16 @@ class SessionHandlerPHP extends SessionHandler
     public function newSessionId(): string
     {
         // generate new (secure) session id
-        if (function_exists('session_create_id')) {
-            $sid_length = (int) ini_get('session.sid_length');
-            $sid_bits_per_char = (int) ini_get('session.sid_bits_per_character');
+        $sid_length = (int) ini_get('session.sid_length');
+        $sid_bits_per_char = (int) ini_get('session.sid_bits_per_character');
 
-            if (($sid_length * $sid_bits_per_char) < 128) {
-                Logger::warning("Unsafe defaults used for sessionId generation!");
-            }
-            $sessionId = session_create_id();
-        } else {
+        if (($sid_length * $sid_bits_per_char) < 128) {
+            Logger::warning("Unsafe defaults used for sessionId generation!");
+        }
+        $sessionId = session_create_id();
+
+        if (!$sessionId) {
+            Logger::warning("Secure session ID generation failed, falling back to custom ID generation.");
             $sessionId = bin2hex(openssl_random_pseudo_bytes(16));
         }
         Session::createSession($sessionId);
-- 
GitLab