From 0e0f34f061805701d57e661273050601ab5e463e Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Wed, 21 Nov 2018 13:03:16 +0100
Subject: [PATCH] Generate sessionID complying with PHP config settings; 
 closes #569 and closes #566

---
 lib/SimpleSAML/SessionHandlerPHP.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index d5235f7c1..a93f09270 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -141,13 +141,21 @@ class SessionHandlerPHP extends SessionHandler
     public function newSessionId()
     {
         // generate new (secure) session id
-        $sessionId = bin2hex(openssl_random_pseudo_bytes(16));
-        Session::createSession($sessionId);
+        if (function_exists('session_create_id')) {
+            $sid_length = (int) ini_get('session.sid_length');
+            $sid_bits_per_char = (int) ini_get('session.sid_bits_per_character');
 
+            if (($sid_length * $sid_bits_per_char) < 128) {
+                \SimpleSAML\Logger::warning("Unsafe defaults used for sessionId generation!");
+            }
+            $sessionId = session_create_id();
+        } else {
+            $sessionId = bin2hex(openssl_random_pseudo_bytes(16));
+        }
+        SimpleSAML_Session::createSession($sessionId);
         return $sessionId;
     }
 
-
     /**
      * Retrieve the session ID saved in the session cookie, if there's one.
      *
-- 
GitLab