From ab344d8859770fdcae003c438bd56896eaa870b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Tue, 6 Jun 2017 17:16:55 +0200
Subject: [PATCH] Fix a bug in the PHP session handler
When unserializing the session fails, the handler should return null instead of false. Additionally, SimpleSAML_Session::load() should make sure that it got an instance of SimpleSAML_Session, to avoid any misbehaving handlers to generate an issue.
This resolves #616.
---
lib/SimpleSAML/Session.php | 4 ++--
lib/SimpleSAML/SessionHandlerPHP.php | 3 +--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index 97c1db23c..5492a9514 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -270,7 +270,7 @@ class SimpleSAML_Session implements Serializable
}
// if getSession() found it, use it
- if ($session !== null) {
+ if ($session instanceof SimpleSAML_Session) {
return self::load($session);
}
@@ -311,7 +311,7 @@ class SimpleSAML_Session implements Serializable
*
* @param string|null $sessionId The session we should get, or null to get the current session.
*
- * @return SimpleSAML_Session The session that is stored in the session handler, or null if the session wasn't
+ * @return SimpleSAML_Session|null The session that is stored in the session handler, or null if the session wasn't
* found.
*/
public static function getSession($sessionId = null)
diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 0cf8d074e..16f2f7d7a 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -266,9 +266,8 @@ class SessionHandlerPHP extends SessionHandler
assert('is_string($session)');
$session = unserialize($session);
- assert('$session instanceof SimpleSAML_Session');
- return $session;
+ return ($session !== false) ? $session : null;
}
--
GitLab