Fix a bug in the PHP session handler

When unserializing the session fails, the handler should return null instead of false. Additionally, SimpleSAML_Session::load() should make sure that it got an instance of SimpleSAML_Session, to avoid any misbehaving handlers to generate an issue. This resolves #616.

Fix a bug in the PHP session handler
ab344d88 · Jaime Pérez Crespo · c3025c85 · ab344d88 · ab344d88
Unverified Commit ab344d88 authored 7 years ago by Jaime Pérez Crespo
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -270,7 +270,7 @@ class SimpleSAML_Session implements Serializable
        }

        // if getSession() found it, use it
-        if ($session !== null) {
+        if ($session instanceof SimpleSAML_Session) {
            return self::load($session);
        }

@@ -311,7 +311,7 @@ class SimpleSAML_Session implements Serializable
     *
     * @param string|null $sessionId The session we should get, or null to get the current session.
     *
-     * @return SimpleSAML_Session The session that is stored in the session handler, or null if the session wasn't
+     * @return SimpleSAML_Session|null The session that is stored in the session handler, or null if the session wasn't
     * found.
     */
    public static function getSession($sessionId = null)

--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -266,9 +266,8 @@ class SessionHandlerPHP extends SessionHandler
        assert('is_string($session)');

        $session = unserialize($session);
-        assert('$session instanceof SimpleSAML_Session');

-        return $session;
+        return ($session !== false) ? $session : null;
    }