Prevent session_start() from sending cookies if possible. If not, at least supress warnings.

40363e2f · Jaime Perez Crespo · bcf25b0d · 40363e2f
Commit 40363e2f authored 8 years ago by Jaime Perez Crespo
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -84,6 +84,32 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
    }


+    /**
+     * This method starts a session, making sure no warnings are generated due to headers being already sent.
+     */
+    private function sessionStart()
+    {
+        $cacheLimiter = session_cache_limiter();
+        if (headers_sent()) {
+            /*
+             * session_start() tries to send HTTP headers depending on the configuration, according to the
+             * documentation:
+             *
+             *      http://php.net/manual/en/function.session-start.php
+             *
+             * If headers have been already sent, it will then trigger an error since no more headers can be sent.
+             * Being unable to send headers does not mean we cannot recover the session by calling session_start(),
+             * so we still want to call it. In this case, though, we want to avoid session_start() to send any
+             * headers at all so that no error is generated, so we clear the cache limiter temporarily (no headers
+             * sent then) and restore it after successfully starting the session.
+             */
+            session_cache_limiter('');
+        }
+        @session_start();
+        session_cache_limiter($cacheLimiter);
+    }
+
+
    /**
     * Restore a previously-existing session.
     *
@@ -113,7 +139,7 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
        );
        session_id($this->previous_session['id']);
        $this->previous_session = array();
-        session_start();
+        $this->sessionStart();

        /*
         * At this point, we have restored a previously-existing session, so we can't continue to use our session here.
@@ -154,7 +180,7 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
        }

        session_id($sessionId);
-        session_start();
+        $this->sessionStart();

        return session_id();
    }
@@ -182,25 +208,7 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
            throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
        }

-        $cacheLimiter = session_cache_limiter();
-        if (headers_sent()) {
-            /*
-             * session_start() tries to send HTTP headers depending on the configuration, according to the
-             * documentation:
-             *
-             *      http://php.net/manual/en/function.session-start.php
-             *
-             * If headers have been already sent, it will then trigger an error since no more headers can be sent.
-             * Being unable to send headers does not mean we cannot recover the session by calling session_start(),
-             * so we still want to call it. In this case, though, we want to avoid session_start() to send any
-             * headers at all so that no error is generated, so we clear the cache limiter temporarily (no headers
-             * sent then) and restore it after successfully starting the session.
-             */
-            session_cache_limiter('');
-        }
-        session_start();
-        session_cache_limiter($cacheLimiter);
-
+       $this->sessionStart();
        return session_id();
    }

@@ -250,7 +258,7 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
                }

                session_id($sessionId);
-                session_start();
+                $this->sessionStart();
            } elseif ($sessionId !== session_id()) {
                throw new SimpleSAML_Error_Exception('Cannot load PHP session with a specific ID.');
            }