Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Search by author
  • Any Author
  • Bohumír Maštalíř Bohumír Maštalíř mastalir
  • David Flor David Flor 493294
  • Jakub Kriš Jakub Kriš 182608
  • Jan Pavlíček Jan Pavlíček 469355
  • Jiří Prokop Jiří Prokop 525248
  • Marek Hlávka Marek Hlávka 484956
  • Martin Kuba Martin Kuba 3988
  • Matej Jošťák Matej Jošťák mixxo
  • Mgr. Radim Křivánek Mgr. Radim Křivánek radimkrivanek
  • Michal Berky Michal Berky 514063
  • Pavel Vyskočil Pavel Vyskočil 445753
  • Pavel Zlámal Pavel Zlámal 256627
  • Perun-GitLab Service Account Perun-GitLab Service Account 9045464
  • Peter Bolha Peter Bolha 485456
  • Peter Lényi Peter Lényi 256333
  • Přemysl Kala Přemysl Kala 47343
  • Rastislav Kruták Rastislav Kruták 492918
  • Šárka Palkovičová Šárka Palkovičová 492687
18 authors
  1. Jul 02, 2016
    • Jaime Pérez's avatar
      bugfix: Stop SimpleSAML_SessionHandler::newSessionId() from initializing the session. · 4056af12
      Jaime Pérez authored 
      Historically, SimpleSAML_SessionHandler::newSessionId() has also created the session, sending the cookies to the browser. This is problematic both because given the name of the method one would not assume such behaviour, and also because even for transient sessions the handler would then try to set cookies. When we are using a transient session, it is likely to be because we cannot set cookies or because there was a temporary error when loading the session. If we try to set the cookies even for transient sessions, we could either get an error because cookies cannot be set, or overwrite the previous session cookies with transient ones, trashing a legitimate session in case a temporary error occurs.

As a side effect, this can also cause behaviours like the one described in issue #413. There's no point in trying to set the cookies when it's not possible, so we shouldn't even try, and save us the errors.

To fix this, we made SimpleSAML_SessionHandler::setCookie() abstract, forcing each extending class to implement it. The former implementation is moved to SimpleSAML_SessionHandlerCookie, and the SimpleSAML_SessionHandlerPHP gets a new method that starts the session, effectively sending the cookie. SimpleSAML_Session would then be responsible to call the setCookie() method of the session handler when creating a regular session, and skip it when creating a transient one. This introduces a bug, since SimpleSAML_Session was trying to set the auth token cookie calling the same setCookie() method in the session handler. We fixed that by using SimpleSAML\Utils\HTTP::setCookie() instead, in 8756835b.

This resolves #413.
      4056af12
    • Jaime Pérez's avatar
      Set the session name explicitly in SessionHandlerPHP, even when we are using the default value. · cd6278cc
      Jaime Pérez authored
      cd6278cc
    • Jaime Pérez's avatar
      Fix indentation. · 271be82c
      Jaime Pérez authored
      271be82c
  3. Jun 08, 2016
  5. Apr 12, 2016
  7. Apr 07, 2016
  9. Feb 15, 2016
  11. Oct 26, 2015
  13. Aug 04, 2015
  15. Jun 08, 2015
  17. May 27, 2015
  19. Apr 21, 2015
  21. Apr 16, 2015
  23. Jul 09, 2014
  25. Sep 13, 2013
  27. Sep 11, 2013
  29. Sep 05, 2013
  31. Jan 30, 2012
  33. Aug 10, 2011
  35. Aug 09, 2010
  37. Jul 13, 2010
  39. Jul 07, 2010
  41. Feb 24, 2010
  43. Feb 15, 2010
    • Olav Morken's avatar
      Disable cookie secure-flag by default. · c4ae073b
      Olav Morken authored 
      This patch removes the autodetection of the secure flag for the cookie
based on whether the user is accessing simpleSAMLphp through https. The
reason for this is that the user can often access an SP through both
https and http. If the user starts with http, everything will work, but
if the user starts with https, the user will get two separate cookies,
one for https and one for http.

This patch introduces a new configuration option in config.php:

    /*
     * Set the secure flag in the cookie.
     *
     * Set this to TRUE if the user only accesses your service
     * through https. If the user can access the service through
     * both http and https, this must be set to FALSE.
     */
    'session.cookie.secure' => FALSE,

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2180 44740490-163a-0410-bde0-09ae8108e29a
      c4ae073b
  45. Dec 02, 2009
  47. Sep 25, 2009
  49. Aug 14, 2009
  51. Jun 06, 2008
  53. May 14, 2008
  55. May 13, 2008
  57. Mar 12, 2008
  59. Jan 30, 2008
  61. Dec 18, 2007