From 38cb65773cc964a37b4b9ef5e2cc362d5df97bbf Mon Sep 17 00:00:00 2001
From: Jaime Perez Crespo <jaime.perez@uninett.no>
Date: Mon, 15 Feb 2016 10:16:07 +0100
Subject: [PATCH] Avoid the PHP session handler to generate errors when we try
 to retrieve a session after the headers being sent to the browser.

---
 lib/SimpleSAML/SessionHandlerPHP.php | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index c8e9107d9..da031ebe1 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -118,7 +118,24 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
                 throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
             }
 
+            $cacheLimiter = session_cache_limiter();
+            if (headers_sent()) {
+                /*
+                 * session_start() tries to send HTTP headers depending on the configuration, according to the
+                 * documentation:
+                 *
+                 *      http://php.net/manual/en/function.session-start.php
+                 *
+                 * If headers have been already sent, it will then trigger an error since no more headers can be sent.
+                 * Being unable to send headers does not mean we cannot recover the session by calling session_start(),
+                 * so we still want to call it. In this case, though, we want to avoid session_start() to send any
+                 * headers at all so that no error is generated, so we clear the cache limiter temporarily (no headers
+                 * sent then) and restore it after successfully starting the session.
+                 */
+                session_cache_limiter('');
+            }
             session_start();
+            session_cache_limiter($cacheLimiter);
         }
 
         return session_id();
-- 
GitLab