From 406b169b2159f55dca84ddc5b0c38a09340ed81e Mon Sep 17 00:00:00 2001 From: Andjelko Horvat <comel@vingd.com> Date: Thu, 5 Sep 2013 12:36:31 +0000 Subject: [PATCH] Generate new session id for new sessions (issue #569). git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3271 44740490-163a-0410-bde0-09ae8108e29a --- lib/SimpleSAML/Session.php | 2 +- lib/SimpleSAML/SessionHandler.php | 8 +++++ lib/SimpleSAML/SessionHandlerCookie.php | 20 +++++++++--- lib/SimpleSAML/SessionHandlerPHP.php | 43 ++++++++++++++++++------- 4 files changed, 55 insertions(+), 18 deletions(-) diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php index e373dc4f4..4cfd11cb1 100644 --- a/lib/SimpleSAML/Session.php +++ b/lib/SimpleSAML/Session.php @@ -163,7 +163,7 @@ class SimpleSAML_Session { } $sh = SimpleSAML_SessionHandler::getSessionHandler(); - $this->sessionId = $sh->getCookieSessionId(); + $this->sessionId = $sh->newSessionId(); $this->trackid = substr(md5(uniqid(rand(), true)), 0, 10); diff --git a/lib/SimpleSAML/SessionHandler.php b/lib/SimpleSAML/SessionHandler.php index a61844ed5..2d1a28c90 100644 --- a/lib/SimpleSAML/SessionHandler.php +++ b/lib/SimpleSAML/SessionHandler.php @@ -47,6 +47,14 @@ abstract class SimpleSAML_SessionHandler { } + /** + * Create and set new session id. + * + * @return string The new session id. + */ + abstract public function newSessionId(); + + /** * Retrieve the session id of saved in the session cookie. * diff --git a/lib/SimpleSAML/SessionHandlerCookie.php b/lib/SimpleSAML/SessionHandlerCookie.php index 9d6d84618..7c5ae37a7 100644 --- a/lib/SimpleSAML/SessionHandlerCookie.php +++ b/lib/SimpleSAML/SessionHandlerCookie.php @@ -39,6 +39,20 @@ extends SimpleSAML_SessionHandler { } + /** + * Create and set new session id. + * + * @return string The new session id. + */ + public function newSessionId() { + $this->session_id = self::createSessionID(); + SimpleSAML_Session::createSession($this->session_id); + $this->setCookie($this->cookie_name, $this->session_id); + + return $this->session_id; + } + + /** * Retrieve the session id of saved in the session cookie. * @@ -54,9 +68,7 @@ extends SimpleSAML_SessionHandler { /* Check if we have a valid session id. */ if(!self::isValidSessionID($this->session_id)) { /* We don't have a valid session. Create a new session id. */ - $this->session_id = self::createSessionID(); - SimpleSAML_Session::createSession($this->session_id); - $this->setCookie($this->cookie_name, $this->session_id); + return self::newSessionId(); } } @@ -115,5 +127,3 @@ extends SimpleSAML_SessionHandler { } } - -?> \ No newline at end of file diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php index 1d07f3707..b95bdcb22 100644 --- a/lib/SimpleSAML/SessionHandlerPHP.php +++ b/lib/SimpleSAML/SessionHandlerPHP.php @@ -53,6 +53,33 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler { } + /** + * Create and set new session id. + * + * @return string The new session id. + */ + public function newSessionId() { + $session_cookie_params = session_get_cookie_params(); + + if ($session_cookie_params['secure'] && !SimpleSAML_Utilities::isHTTPS()) { + throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.'); + } + + if (headers_sent()) { + throw new SimpleSAML_Error_Exception('Cannot create new session - headers already sent.'); + } + + /* Generate new (secure) session id. */ + $sessionId = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(16)); + SimpleSAML_Session::createSession($sessionId); + session_id($sessionId); + + session_start(); + + return session_id(); + } + + /** * Retrieve the session id of saved in the session cookie. * @@ -60,24 +87,16 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler { */ public function getCookieSessionId() { if(session_id() === '') { + if(!self::hasSessionCookie()) { + return self::newSessionId(); + } + $session_cookie_params = session_get_cookie_params(); if ($session_cookie_params['secure'] && !SimpleSAML_Utilities::isHTTPS()) { throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.'); } - if(!self::hasSessionCookie()) { - - if (headers_sent()) { - throw new SimpleSAML_Error_Exception('Cannot create new session - headers already sent.'); - } - - /* Session cookie unset - session id not set. Generate new (secure) session id. */ - $sessionId = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(16)); - SimpleSAML_Session::createSession($sessionId); - session_id($sessionId); - } - session_start(); } -- GitLab