From 406b169b2159f55dca84ddc5b0c38a09340ed81e Mon Sep 17 00:00:00 2001
From: Andjelko Horvat <comel@vingd.com>
Date: Thu, 5 Sep 2013 12:36:31 +0000
Subject: [PATCH] Generate new session id for new sessions (issue #569).

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3271 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/Session.php              |  2 +-
 lib/SimpleSAML/SessionHandler.php       |  8 +++++
 lib/SimpleSAML/SessionHandlerCookie.php | 20 +++++++++---
 lib/SimpleSAML/SessionHandlerPHP.php    | 43 ++++++++++++++++++-------
 4 files changed, 55 insertions(+), 18 deletions(-)

diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index e373dc4f4..4cfd11cb1 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -163,7 +163,7 @@ class SimpleSAML_Session {
 		}
 
 		$sh = SimpleSAML_SessionHandler::getSessionHandler();
-		$this->sessionId = $sh->getCookieSessionId();
+		$this->sessionId = $sh->newSessionId();
 
 		$this->trackid = substr(md5(uniqid(rand(), true)), 0, 10);
 
diff --git a/lib/SimpleSAML/SessionHandler.php b/lib/SimpleSAML/SessionHandler.php
index a61844ed5..2d1a28c90 100644
--- a/lib/SimpleSAML/SessionHandler.php
+++ b/lib/SimpleSAML/SessionHandler.php
@@ -47,6 +47,14 @@ abstract class SimpleSAML_SessionHandler {
 	}
 
 
+	/**
+	 * Create and set new session id.
+	 *
+	 * @return string  The new session id.
+	 */
+	abstract public function newSessionId();
+
+
 	/**
 	 * Retrieve the session id of saved in the session cookie.
 	 *
diff --git a/lib/SimpleSAML/SessionHandlerCookie.php b/lib/SimpleSAML/SessionHandlerCookie.php
index 9d6d84618..7c5ae37a7 100644
--- a/lib/SimpleSAML/SessionHandlerCookie.php
+++ b/lib/SimpleSAML/SessionHandlerCookie.php
@@ -39,6 +39,20 @@ extends SimpleSAML_SessionHandler {
 	}
 
 
+	/**
+	 * Create and set new session id.
+	 *
+	 * @return string  The new session id.
+	 */
+	public function newSessionId() {
+		$this->session_id = self::createSessionID();
+		SimpleSAML_Session::createSession($this->session_id);
+		$this->setCookie($this->cookie_name, $this->session_id);
+
+		return $this->session_id;
+	}
+
+
 	/**
 	 * Retrieve the session id of saved in the session cookie.
 	 *
@@ -54,9 +68,7 @@ extends SimpleSAML_SessionHandler {
 			/* Check if we have a valid session id. */
 			if(!self::isValidSessionID($this->session_id)) {
 				/* We don't have a valid session. Create a new session id. */
-				$this->session_id = self::createSessionID();
-				SimpleSAML_Session::createSession($this->session_id);
-				$this->setCookie($this->cookie_name, $this->session_id);
+				return self::newSessionId();
 			}
 		}
 
@@ -115,5 +127,3 @@ extends SimpleSAML_SessionHandler {
 	}
 
 }
-
-?>
\ No newline at end of file
diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 1d07f3707..b95bdcb22 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -53,6 +53,33 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 	}
 
 
+	/**
+	 * Create and set new session id.
+	 *
+	 * @return string  The new session id.
+	 */
+	public function newSessionId() {
+		$session_cookie_params = session_get_cookie_params();
+
+		if ($session_cookie_params['secure'] && !SimpleSAML_Utilities::isHTTPS()) {
+			throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
+		}
+
+		if (headers_sent()) {
+			throw new SimpleSAML_Error_Exception('Cannot create new session - headers already sent.');
+		}
+
+		/* Generate new (secure) session id. */
+		$sessionId = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(16));
+		SimpleSAML_Session::createSession($sessionId);
+		session_id($sessionId);
+
+		session_start();
+
+		return session_id();
+	}
+
+
 	/**
 	 * Retrieve the session id of saved in the session cookie.
 	 *
@@ -60,24 +87,16 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler {
 	 */
 	public function getCookieSessionId() {
 		if(session_id() === '') {
+			if(!self::hasSessionCookie()) {
+				return self::newSessionId();
+			}
+
 			$session_cookie_params = session_get_cookie_params();
 
 			if ($session_cookie_params['secure'] && !SimpleSAML_Utilities::isHTTPS()) {
 				throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
 			}
 
-			if(!self::hasSessionCookie()) {
-
-				if (headers_sent()) {
-					throw new SimpleSAML_Error_Exception('Cannot create new session - headers already sent.');
-				}
-
-				/* Session cookie unset - session id not set. Generate new (secure) session id. */
-				$sessionId = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(16));
-				SimpleSAML_Session::createSession($sessionId);
-				session_id($sessionId);
-			}
-			
 			session_start();
 		}
 
-- 
GitLab