Generate new session id for new sessions (issue #569).

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3271 44740490-163a-0410-bde0-09ae8108e29a

lib/SimpleSAML/Session.php

@@ -163,7 +163,7 @@ class SimpleSAML_Session {
 		}
 
 		$sh = SimpleSAML_SessionHandler::getSessionHandler();
-		$this->sessionId = $sh->getCookieSessionId();
+		$this->sessionId = $sh->newSessionId();
 
 		$this->trackid = substr(md5(uniqid(rand(), true)), 0, 10);
 

lib/SimpleSAML/SessionHandler.php

@@ -47,6 +47,14 @@ abstract class SimpleSAML_SessionHandler {
 	}
 
 
+	/**
+	 * Create and set new session id.
+	 *
+	 * @return string  The new session id.
+	 */
+	abstract public function newSessionId();
+
+
 	/**
 	 * Retrieve the session id of saved in the session cookie.
 	 *

lib/SimpleSAML/SessionHandlerCookie.php

@@ -39,6 +39,20 @@ extends SimpleSAML_SessionHandler {
 	}
 
 
+	/**
+	 * Create and set new session id.
+	 *
+	 * @return string  The new session id.
+	 */
+	public function newSessionId() {
+		$this->session_id = self::createSessionID();
+		SimpleSAML_Session::createSession($this->session_id);
+		$this->setCookie($this->cookie_name, $this->session_id);
+
+		return $this->session_id;
+	}
+
+
 	/**
 	 * Retrieve the session id of saved in the session cookie.
 	 *
@@ -54,9 +68,7 @@ extends SimpleSAML_SessionHandler {
 			/* Check if we have a valid session id. */
 			if(!self::isValidSessionID($this->session_id)) {
 				/* We don't have a valid session. Create a new session id. */
-				$this->session_id = self::createSessionID();
-				SimpleSAML_Session::createSession($this->session_id);
-				$this->setCookie($this->cookie_name, $this->session_id);
+				return self::newSessionId();
 			}
 		}
 
@@ -115,5 +127,3 @@ extends SimpleSAML_SessionHandler {
 	}
 
 }
-
-?>
\ No newline at end of file

lib/SimpleSAML/SessionHandlerPHP.php

@@ -53,6 +53,33 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 	}
 
 
+	/**
+	 * Create and set new session id.
+	 *
+	 * @return string  The new session id.
+	 */
+	public function newSessionId() {
+		$session_cookie_params = session_get_cookie_params();
+
+		if ($session_cookie_params['secure'] && !SimpleSAML_Utilities::isHTTPS()) {
+			throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
+		}
+
+		if (headers_sent()) {
+			throw new SimpleSAML_Error_Exception('Cannot create new session - headers already sent.');
+		}
+
+		/* Generate new (secure) session id. */
+		$sessionId = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(16));
+		SimpleSAML_Session::createSession($sessionId);
+		session_id($sessionId);
+
+		session_start();
+
+		return session_id();
+	}
+
+
 	/**
 	 * Retrieve the session id of saved in the session cookie.
 	 *
@@ -60,24 +87,16 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 	 */
 	public function getCookieSessionId() {
 		if(session_id() === '') {
+			if(!self::hasSessionCookie()) {
+				return self::newSessionId();
+			}
+
 			$session_cookie_params = session_get_cookie_params();
 
 			if ($session_cookie_params['secure'] && !SimpleSAML_Utilities::isHTTPS()) {
 				throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
 			}
 
-			if(!self::hasSessionCookie()) {
-
-				if (headers_sent()) {
-					throw new SimpleSAML_Error_Exception('Cannot create new session - headers already sent.');
-				}
-
-				/* Session cookie unset - session id not set. Generate new (secure) session id. */
-				$sessionId = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(16));
-				SimpleSAML_Session::createSession($sessionId);
-				session_id($sessionId);
-			}
-			
 			session_start();
 		}