From ab344d8859770fdcae003c438bd56896eaa870b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Tue, 6 Jun 2017 17:16:55 +0200
Subject: [PATCH] Fix a bug in the PHP session handler

When unserializing the session fails, the handler should return null instead of false. Additionally, SimpleSAML_Session::load() should make sure that it got an instance of SimpleSAML_Session, to avoid any misbehaving handlers to generate an issue.

This resolves #616.
---
 lib/SimpleSAML/Session.php           | 4 ++--
 lib/SimpleSAML/SessionHandlerPHP.php | 3 +--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index 97c1db23c..5492a9514 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -270,7 +270,7 @@ class SimpleSAML_Session implements Serializable
         }
 
         // if getSession() found it, use it
-        if ($session !== null) {
+        if ($session instanceof SimpleSAML_Session) {
             return self::load($session);
         }
 
@@ -311,7 +311,7 @@ class SimpleSAML_Session implements Serializable
      *
      * @param string|null $sessionId The session we should get, or null to get the current session.
      *
-     * @return SimpleSAML_Session The session that is stored in the session handler, or null if the session wasn't
+     * @return SimpleSAML_Session|null The session that is stored in the session handler, or null if the session wasn't
      * found.
      */
     public static function getSession($sessionId = null)
diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 0cf8d074e..16f2f7d7a 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -266,9 +266,8 @@ class SessionHandlerPHP extends SessionHandler
         assert('is_string($session)');
 
         $session = unserialize($session);
-        assert('$session instanceof SimpleSAML_Session');
 
-        return $session;
+        return ($session !== false) ? $session : null;
     }
 
 
-- 
GitLab