From a0407d17cccc4a00aa1cec4b18e613019adf8744 Mon Sep 17 00:00:00 2001
From: Jaime Perez Crespo <jaime.perez@uninett.no>
Date: Mon, 26 Oct 2015 10:48:44 +0100
Subject: [PATCH] Avoid session cookies being set twice, hopefully for good.

---
 lib/SimpleSAML/SessionHandler.php       | 4 ++--
 lib/SimpleSAML/SessionHandlerCookie.php | 8 ++++----
 lib/SimpleSAML/SessionHandlerPHP.php    | 6 +++---
 lib/SimpleSAML/SessionHandlerStore.php  | 4 ++++
 4 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/lib/SimpleSAML/SessionHandler.php b/lib/SimpleSAML/SessionHandler.php
index debfba0b5..8d14c0900 100644
--- a/lib/SimpleSAML/SessionHandler.php
+++ b/lib/SimpleSAML/SessionHandler.php
@@ -62,9 +62,9 @@ abstract class SimpleSAML_SessionHandler
 
 
     /**
-     * Retrieve the session id of saved in the session cookie.
+     * Retrieve the session ID saved in the session cookie, if there's one.
      *
-     * @return string The session id saved in the cookie.
+     * @return string|null The session id saved in the cookie or null if no session cookie was set.
      */
     abstract public function getCookieSessionId();
 
diff --git a/lib/SimpleSAML/SessionHandlerCookie.php b/lib/SimpleSAML/SessionHandlerCookie.php
index f0b56ccd6..c8409a8d7 100644
--- a/lib/SimpleSAML/SessionHandlerCookie.php
+++ b/lib/SimpleSAML/SessionHandlerCookie.php
@@ -60,9 +60,9 @@ abstract class SimpleSAML_SessionHandlerCookie extends SimpleSAML_SessionHandler
 
 
     /**
-     * Retrieve the session id of saved in the session cookie.
+     * Retrieve the session ID saved in the session cookie, if there's one.
      *
-     * @return string The session id saved in the cookie.
+     * @return string|null The session id saved in the cookie or null if no session cookie was set.
      */
     public function getCookieSessionId()
     {
@@ -74,8 +74,8 @@ abstract class SimpleSAML_SessionHandlerCookie extends SimpleSAML_SessionHandler
 
             // check if we have a valid session id
             if (!self::isValidSessionID($this->session_id)) {
-                // we don't have a valid session. Create a new session id
-                return self::newSessionId();
+                // invalid, disregard this session
+                return null;
             }
         }
 
diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 7bc7a17a1..c8e9107d9 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -99,9 +99,9 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
 
 
     /**
-     * Retrieve the session id of saved in the session cookie.
+     * Retrieve the session ID saved in the session cookie, if there's one.
      *
-     * @return string The session id saved in the cookie.
+     * @return string|null The session id saved in the cookie or null if no session cookie was set.
      *
      * @throws SimpleSAML_Error_Exception If the cookie is marked as secure but we are not using HTTPS.
      */
@@ -109,7 +109,7 @@ class SimpleSAML_SessionHandlerPHP extends SimpleSAML_SessionHandler
     {
         if (session_id() === '') {
             if (!self::hasSessionCookie()) {
-                return self::newSessionId();
+                return null;
             }
 
             $session_cookie_params = session_get_cookie_params();
diff --git a/lib/SimpleSAML/SessionHandlerStore.php b/lib/SimpleSAML/SessionHandlerStore.php
index ecf7154d7..90068808c 100644
--- a/lib/SimpleSAML/SessionHandlerStore.php
+++ b/lib/SimpleSAML/SessionHandlerStore.php
@@ -43,6 +43,10 @@ class SimpleSAML_SessionHandlerStore extends SimpleSAML_SessionHandlerCookie
 
         if ($sessionId === null) {
             $sessionId = $this->getCookieSessionId();
+            if ($sessionId === null) {
+                // no session cookie, nothing to load
+                return null;
+            }
         }
 
         $session = $this->store->get('session', $sessionId);
-- 
GitLab