Historically, SimpleSAML_SessionHandler::newSessionId() has also created the session, sending the cookies to the browser. This is problematic both because given the name of the method one would not assume such behaviour, and also because even for transient sessions the handler would then try to set cookies. When we are using a transient session, it is likely to be because we cannot set cookies or because there was a temporary error when loading the session. If we try to set the cookies even for transient sessions, we could either get an error because cookies cannot be set, or overwrite the previous session cookies with transient ones, trashing a legitimate session in case a temporary error occurs.

As a side effect, this can also cause behaviours like the one described in issue #413. There's no point in trying to set the cookies when it's not possible, so we shouldn't even try, and save us the errors.

To fix this, we made SimpleSAML_SessionHandler::setCookie() abstract, forcing each extending class to implement it. The former implementation is moved to SimpleSAML_SessionHandlerCookie, and the SimpleSAML_SessionHandlerPHP gets a new method that starts the session, effectively sending the cookie. SimpleSAML_Session would then be responsible to call the setCookie() method of the session handler when creating a regular session, and skip it when creating a transient one. This introduces a bug, since SimpleSAML_Session was trying to set the auth token cookie calling the same setCookie() method in the session handler. We fixed that by using SimpleSAML\Utils\HTTP::setCookie() instead, in 8756835b.

This resolves #413.

If we just called isset() on SimpleSAML_Session::$instance, and it returned false as we continued execution, it makes no sense to get the "previous" instance since it will always be null. We can just check that $instance is not null later.

This way we can pass an exception that made us use transient sessions, and get the method to throw that exception after getting the transient session.

SimpleSAML_Session should set the auth token using the SimpleSAML\Utils\HTTP::setCookie(), instead of the setCookie() method provided by session handlers.

The SimpleSAML_SessionHandler::setCookie() method should be used only to set the session cookie, not random cookies. If we want cookies to have the same parameters as session cookies, we can always get the session parameters calling SimpleSAML_SessionHandler::getSessionParams() and pass them to SimpleSAML\Utils\HTTP::setCookie().

Make the SimpleSAML\Utils\HTTP::setCookie() method throw the new SimpleSAML\Error\CannotSetCookie exception.

In line with the previous commit, we now allow hooking in the exception handler, so that a module can implement its own logic to deal with certain exceptions.

The module.php file is the way we allow modules to have their own pages. All those are executed and presented to the user via this script. However, if an exception is thrown by a module, that exception will be captured directly by the module.php script. This prevents us from adding more logic to exception handling, adds code duplication, and makes the exception handling non-uniform, since we could end up handling the same exception differently depending on whether it was thrown by a module or by a regular page.

Now we no longer intercept exceptions in module.php, allowing the exception handler to kick in. That way exceptions are always handled uniformly, and we can also implement additional logic that we may want (i.e. adding a hook to the exception handler so that modules could handle exceptions the way they want).

Now that we are using realpath() to try to obtain the URL relative to the base URL path of SSP, we need to use real scripts or realpath() will return an empty string.

Recent commits have introduced a new way to obtain the self URL, honouring whatever is specified in 'baseurlpath'. However, this new code breaks when accessing SimpleSAMLphp through a path containing symbolic links in the file system, since the base directory refers always to the real path while the $_SERVER contents reflect what the web server sees (symlinks included). We use realpath() to convert a path with symlinks to a canonical path that we can compare.

PHP 5.3 does not allow the use of $this inside closures. This is a temporary fix for compatibility with 5.3, while we are still supporting it. We will drop this when updating the minimum requirements to PHP 5.4.

docs: make it work with Apache 2.4

* Add an extra apache access control directive
  to make it work with newer Apaches
  Source: http://stackoverflow.com/questions/23337446/getting-a-403-forbidden-error-for-simplesaml-after-apache-upgrade

docs: Recommend the usual commit message rules

It is much easier to review commits (e.g. with `tig`) if they have a
short subject line – e.g. a sysadmin might want to quickly skip all the
"docs: Foo" and "tests: Bar" commits and focus on the important parts.

Remove config templates that are no longer used. They are creating confusion and serve no purpose after all.

Based on patch by Nishanth Aravamudan <nish.aravamudan@canonical.com>

Fix the tests to handle the new, more permissive behaviour of SimpleSAML_Configuration::getBaseURL(), and add tests for getBasePath() too.

Make sure the new SimpleSAML_Configuration::getBasePath() complies with its phpdoc, returning always at least a slash. Fix also the regex that's supposed to catch paths, as it still wants them to end with a slash.

Add a new SimpleSAML_Configuration::getBasePath() method as described in #364, deprecate getBaseURL() and make sure it generates a warning (and only one) when used.

Change the extension of the documentation files from .txt to .md so that they can processed as markdown and displayed in github.

Update the documentation regarding translation (remove all references to the translation portal, reformat and fix typos).

Update the documentation. Trailing slashes are no longer required for 'baseurlpath'. This resolves #363.

Fix build. There was a bug in SimpleSAML\Utils\HTTP::parseQueryString() that was producing an empty parameter with an empty value when the query string was empty.