The reason was the lack of conversion to integer for each character of the strings before applying the XOR operator to them. The operator returns always an empty string when applied to two characters, and applying a binary-wise OR between 0 and an empty string, yields 0. Therefore, $diff is always 0, and the function returns true for every two strings with same length, regardless of their contents.

Added tests for SimpleSAMLUtilsSystem

This reverts commit b1b0d0ef.

This reverts commit c441f9c9.

It looks like mb_substr() doesn’t cope well with NULL as the third parameter in PHP 5.3.

First, there’s no reason to obtain the logout URLs only when logout was initiated. If we get them always, we allow templates to do fancy things like using javascript to do everything on the fly, without going through the script, by dynamically loading the iframes.

Second, we should always check the associations against the ones registered in the session. That way, we can log SPs out individually, and if we refresh the page after that, they will still be marked as logged out.

We stopped using the “async” URL mechanism in logout seven years ago.

bugfix: Assigning an array to the data property of a template removes all data added previously during template initialization.

This allows templates to build richer interfaces with more information to display.

Additionally, the “SPs”, “from” and “jquery” data entries have been deprecated and scheduled for removal in 2.0.

This way we we allow those writing themes to use twig extensions, filters, or anything they may need.

The default values are fine if no other applications use PHP sessions. However, when other apps are using PHP sessions, a conflict arises with the defaults, so let's try to make the defaults a bit more resilient.

Added Redis session storage documentation

IVs must be random and one-time (never reused). Additionally, by deriving it from the key, the key length was effectively reduced to 128 bits.

This allows custom themes to inject data for all templates by simply adding a new hook.

Add a check to the constructor of the new redis store to check if predis/predis is available, and throw a critical configuration error if not.

Added Redis as possible session storage mechanism, fixes #574

It actually needs a DOMNode, so it has been renamed to isDOMNodeOfType().

Additionally, some superfluous asserts() have been removed, and SimpleSAML\Utils\XML::getDOMChildren() has also changed its signature, as it should also receive a DOMNode, not a DOMElement.

If something fails, an exception would be thrown, instead of “false” being returned.

Also, at this point we are sure that the return value will be a string, because the call to fetch() does not set the third parameter ($getHeaders) to true.

SimpleSAML_Binding_Shib13_* classes refactorized to PSR-4 and PSR-2