From d1ab898553155b22ba1bdd8a759204becbed3fca Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tim.dijen@minbzk.nl>
Date: Tue, 31 Aug 2021 20:17:07 +0200
Subject: [PATCH] Partially backport #1480
---
lib/SimpleSAML/SessionHandlerPHP.php | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/lib/SimpleSAML/SessionHandlerPHP.php b/lib/SimpleSAML/SessionHandlerPHP.php
index 1e779ce8b..566225755 100644
--- a/lib/SimpleSAML/SessionHandlerPHP.php
+++ b/lib/SimpleSAML/SessionHandlerPHP.php
@@ -138,19 +138,26 @@ class SessionHandlerPHP extends SessionHandler
*/
public function newSessionId(): string
{
- // generate new (secure) session id
- $sid_length = (int) ini_get('session.sid_length');
- $sid_bits_per_char = (int) ini_get('session.sid_bits_per_character');
+ if ($this->hasSessionCookie()) {
+ session_regenerate_id(false);
+ $session_id = session_id();
+ } else {
+ // generate new (secure) session id
+ $sid_length = (int) ini_get('session.sid_length');
+ $sid_bits_per_char = (int) ini_get('session.sid_bits_per_character');
+
+ if (($sid_length * $sid_bits_per_char) < 128) {
+ Logger::warning("Unsafe defaults used for sessionId generation!");
+ }
- if (($sid_length * $sid_bits_per_char) < 128) {
- Logger::warning("Unsafe defaults used for sessionId generation!");
+ $sessionId = session_create_id();
}
- $sessionId = session_create_id();
if (!$sessionId) {
Logger::warning("Secure session ID generation failed, falling back to custom ID generation.");
$sessionId = bin2hex(openssl_random_pseudo_bytes(16));
}
+
Session::createSession($sessionId);
return $sessionId;
}
@@ -165,7 +172,8 @@ class SessionHandlerPHP extends SessionHandler
public function getCookieSessionId(): ?string
{
if (!$this->hasSessionCookie()) {
- return null; // there's no session cookie, can't return ID
+ // there's no session cookie, can't return ID
+ return null;
}
if (headers_sent()) {
--
GitLab