Convert to our wrapper class for assertions

An issue in the code prevented the SameSite session cookie option from being set the first time we were reaching SSP when using PHP versions older than 7.3.

This fixes #1320

* fixed warning when Warning: session_create_id(): Failed to create new ID in /var/ssosp/lib/SimpleSAML/SessionHandlerPHP.php

* Use session_create_id() unconditionally

In master, we require PHP 7.2, which is guaranteed to provide `session_create_id()`. Therefore, we don't need the if clause any longer. Add also a warning when `session_create_id()` fails, and fall back gracefully to our old way to create session IDs.

Co-authored-by: Jaime Pérez Crespo <jaime.perez@uninett.no>

* Remove deprecated classes

* Remove support for certificate fingerprints

* Remove many deprecated methods and pieces of code

* Remove SAML1.1/Shib1.3 support

* Remove many superfluous annotations

* Update unit test to work with new PHPunit

Closes #1268 
Closes #1020 
Closes #431 
Closes #167 
Closes #151 

* Migrate assertions to Webmozart

Fixes #1270

PSR-12 compliancy

This (finally!) resolves #1176

This resolves #1176

Add support for RFC6265bis SameSite cookie attribute

Fixes for the remainder of lib/SimpleSAML

Fixes issue https://github.com/simplesamlphp/simplesamlphp/issues/793

When unserializing the session fails, the handler should return null instead of false. Additionally, SimpleSAML_Session::load() should make sure that it got an instance of SimpleSAML_Session, to avoid any misbehaving handlers to generate an issue.

This resolves #616.

This is related to #478.

Make exception message when setting secure PHP session cookies through an insecure channel coincident with the message in SimpleSAML\Utils\HTTP::setCookie().

Both SimpleSAML_SessionHandlerPHP::setCookie() and SimpleSAML\Utils\HTTP::setCookie() throw the SimpleSAML\Error\CannotSetCookie exception. Depending on why the error was generated, set the error code in the exception accordingly.

Revert "Set the session name explicitly in SessionHandlerPHP, even when we are using the default value."

This reverts commit cd6278cc.

Historically, SimpleSAML_SessionHandler::newSessionId() has also created the session, sending the cookies to the browser. This is problematic both because given the name of the method one would not assume such behaviour, and also because even for transient sessions the handler would then try to set cookies. When we are using a transient session, it is likely to be because we cannot set cookies or because there was a temporary error when loading the session. If we try to set the cookies even for transient sessions, we could either get an error because cookies cannot be set, or overwrite the previous session cookies with transient ones, trashing a legitimate session in case a temporary error occurs.

As a side effect, this can also cause behaviours like the one described in issue #413. There's no point in trying to set the cookies when it's not possible, so we shouldn't even try, and save us the errors.

To fix this, we made SimpleSAML_SessionHandler::setCookie() abstract, forcing each extending class to implement it. The former implementation is moved to SimpleSAML_SessionHandlerCookie, and the SimpleSAML_SessionHandlerPHP gets a new method that starts the session, effectively sending the cookie. SimpleSAML_Session would then be responsible to call the setCookie() method of the session handler when creating a regular session, and skip it when creating a transient one. This introduces a bug, since SimpleSAML_Session was trying to set the auth token cookie calling the same setCookie() method in the session handler. We fixed that by using SimpleSAML\Utils\HTTP::setCookie() instead, in 8756835b.

This resolves #413.