From ab344d8859770fdcae003c438bd56896eaa870b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no> Date: Tue, 6 Jun 2017 17:16:55 +0200 Subject: [PATCH] Fix a bug in the PHP session handler When unserializing the session fails, the handler should return null instead of false. Additionally, SimpleSAML_Session::load() should make sure that it got an instance of SimpleSAML_Session, to avoid any misbehaving handlers to generate an issue. This resolves #616. --- lib/SimpleSAML/Session.php | 4 ++-- lib/SimpleSAML/SessionHandlerPHP.php | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php index 97c1db23c..5492a9514 100644 --- a/lib/SimpleSAML/Session.php +++ b/lib/SimpleSAML/Session.php @@ -270,7 +270,7 @@ class SimpleSAML_Session implements Serializable } // if getSession() found it, use it - if ($session !== null) { + if ($session instanceof SimpleSAML_Session) { return self::load($session); } @@ -311,7 +311,7 @@ class SimpleSAML_Session implements Serializable * * @param string|null $sessionId The session we should get, or null to get the current session. * - * @return SimpleSAML_Session The session that is stored in the session handler, or null if the session wasn't + * @return SimpleSAML_Session|null The session that is stored in the session handler, or null if the session wasn't * found. */ public static function getSession($sessionId = null) diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php index 0cf8d074e..16f2f7d7a 100644 --- a/lib/SimpleSAML/SessionHandlerPHP.php +++ b/lib/SimpleSAML/SessionHandlerPHP.php @@ -266,9 +266,8 @@ class SessionHandlerPHP extends SessionHandler assert('is_string($session)'); $session = unserialize($session); - assert('$session instanceof SimpleSAML_Session'); - return $session; + return ($session !== false) ? $session : null; } -- GitLab