Avoid session cookies being set twice, hopefully for good.

a0407d17 · Jaime Perez Crespo · 72d787c2 · a0407d17 · a0407d17 · a0407d17
Commit a0407d17 authored 9 years ago by Jaime Perez Crespo
--- a/lib/SimpleSAML/SessionHandler.php
+++ b/lib/SimpleSAML/SessionHandler.php
@@ -62,9 +62,9 @@ abstract class SimpleSAML_SessionHandler
    /**
-     * Retrieve the session id of saved in the session cookie.
+     * Retrieve the session ID saved in the session cookie, if there's one.
     *
-     * @return string The session id saved in the cookie.
+     * @return string|null The session id saved in the cookie or null if no session cookie was set.
     */
    abstract public function getCookieSessionId();

--- a/lib/SimpleSAML/SessionHandlerCookie.php
+++ b/lib/SimpleSAML/SessionHandlerCookie.php
@@ -60,9 +60,9 @@ abstract class SimpleSAML_SessionHandlerCookie extends SimpleSAML_SessionHandler
    /**
-     * Retrieve the session id of saved in the session cookie.
+     * Retrieve the session ID saved in the session cookie, if there's one.
     *
-     * @return string The session id saved in the cookie.
+     * @return string|null The session id saved in the cookie or null if no session cookie was set.
     */
    public function getCookieSessionId()
    {
@@ -74,8 +74,8 @@ abstract class SimpleSAML_SessionHandlerCookie extends SimpleSAML_SessionHandler
            // check if we have a valid session id
            if (!self::isValidSessionID($this->session_id)) {
-                // we don't have a valid session. Create a new session id
+                // invalid, disregard this session
-                return self::newSessionId();
+                return null;
            }
        }

--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -99,9 +99,9 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
    /**
-     * Retrieve the session id of saved in the session cookie.
+     * Retrieve the session ID saved in the session cookie, if there's one.
     *
-     * @return string The session id saved in the cookie.
+     * @return string|null The session id saved in the cookie or null if no session cookie was set.
     *
     * @throws SimpleSAML_Error_Exception If the cookie is marked as secure but we are not using HTTPS.
     */
@@ -109,7 +109,7 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
    {
        if (session_id() === '') {
            if (!self::hasSessionCookie()) {
-                return self::newSessionId();
+                return null;
            }
            $session_cookie_params = session_get_cookie_params();

--- a/lib/SimpleSAML/SessionHandlerStore.php
+++ b/lib/SimpleSAML/SessionHandlerStore.php
@@ -43,6 +43,10 @@ class SimpleSAML_SessionHandlerStore extends SimpleSAML_SessionHandlerCookie
        if ($sessionId === null) {
            $sessionId = $this->getCookieSessionId();
+            if ($sessionId === null) {
+                // no session cookie, nothing to load
+                return null;
+            }
        }
        $session = $this->store->get('session', $sessionId);