* Migrate HTTP::redirect

* Migrate HTTP::redirectTrustedURL

* Migrate HTTP::redirectUntrustedURL

* Migrate HTTP::submitPOSTData

* Temporarily revert to make phpunit work

* Migrate logout handlers

* Remove unnecessary assertion & simplify logics

* Remove unnecessary assertion & add new one to check response type

* Remove unnecessary assertion & rationalize code

* Migrate IdPDisco

* Migrate ProcessingChain

* Fix return-type & drop unnecessary use-statement

* Address review comments

* Do not add caching headers at all

* Fix type-confusions

* Migrate saml2 bindings

* Migrate completeAuth

* Migrate handleLogout

* Migrate some more

* Migrate a whole lot more (messy)

* Migrate logout

* Migrate a whole lot more (also messy)

* Many fixes

* Raise coverage

* Psalm: Ignore exteranl adfs-module

* Replace use of _GET globals

* Migrate bindings (send)

* Migrate bindings (receive)

* Fix psalm-dev

* Fix assertion

* s/subclassOf/isInstanceOf

* Fix type-confusion in logout handlers

* Update container

* Bump saml2 + adfs

* Rename namespace

- Import SimpleSAML\Session twice case warnings.
- Remove other unused imports.

* Migrate email utils to non-static

* Migrate http utils to non-static

* Migrate net utils to non-static

* Migrate random utils to non-static

* Migrate system utils to non-static

* Migrate time utils to non-static

* Migrate xml utils to non-static

* Upgrade notes

* Update test-framework

* Fix tests

* Migrate array utils to non-static

* Migrate attribute utils to non-static

* Migrate auth utils to non-static

* Migrate config utils to non-static

* Migrate crypto utils to non-static

* Raise coverage

* Fix rebase issue

Currently the remember me functionality does not work correctly and using it results in severable undefined index errors as the expire cookie parameter is passed along the SessionHandlerPHP which does not accept this one. Using lifetime instead of expire, effectively doing the same thing, this can be fixed in a pretty simple way. Next to that the params given to the session handler are merged with the current ones before given to the session handler instead of after.

Convert to our wrapper class for assertions

* Migrate assertions to Webmozart

* Raise minimum PHP version to 7.0

* Remove tests pre-PHP 7.2

* Upgrade dev dependencies

* Ignore tests for deprecated class

* Add typehints; not touching public API

* Remove none-array replacements-param; old behaviour from pre-1.4 release

* Psalm fixes

* Add upgrade notes

* PSR-12

PSR-12 compliancy

This is due to a recent change in master. We're no longer trying to fill the sessionID for transient sessions (doesn't even make any sense), so everywhere else where we were checking the session ID (e.g. to store the session) we need to check if it's transient instead, and give up in that case.

It just doesn't make any sense. If we managed to get it from an existing cookie, it serves no purpose, as at this point we couldn't load the session anyway, and what we use to track users is the track ID, not the session ID. Additionally, since this is a transient session, we're not going to push the cookie to the browser (we might not even can do that), so it's really pointless to set the session ID.

This, additionally, was causing that the Session class would be unable to initialize and register a transient session if the issue that forced us to use a transient in the first place was an issue with the session handler (e.g. missing PHP extensions or dependencies, or connection failure to the backend, etc). Under such circumstances, the code removed here will not work either, since the session handler will continue to fail to initialize. This would cause the exception handler to jump in, completely losing control of the execution, and making it impossible to display the error to the user (since the transient session creation is never completed, it cannot be used later where it is needed in the SimpleSAML\Error\Error class).

This resolves #914.

This comment used to be true, but the behaviour was changed in 3c52b289 in order to purge old data more often.

The SimpleSAML\Session::expireData() method did not mark the session as dirty when there was expired data on it, so if nothing else changed, the data was never actually purged. It was done like this by design, but in practice, it seems like sessions aren't modified as often, meaning they end up growing a lot with each state array that's stored on them, and expired data is never removed. We now check for expired data in the save() method (which is run every time a session is destroyed, if not manually) and if there is any, we mark the session as dirty, so that it is actually updated in the backend. Most of the time this will be transparent and have no visible performance hit, as it'll be run after the response is sent, during shutdown.

This closes #1053