This allows us to still validate XML documents (disabling the entity loader makes it impossible, as we have multiple schemas in different files), while protecting against schemas trying to import from URLs.

This reverts commit 961f5250.

This is done already when creating the document, but here we should protect as well against rogue schema files.

We don't control we type of the default value

This was previously the case. However, when we introduced the new way to configure NameIDPolicy by using arrays, the default for old-style string configurations changed so AllowCreate was then unset. When unset, the SAML standard sets its default to false, effectively creating interoperability issues when uses upgraded SimpleSAMLphp without changing the configuration.

This resolves #1230.

Closes #1227

Added "database" parameter for Redis Client.

* SQL: changed init session table so it will work on MSSQL Databases

* SQL: changed rowCount by count of fetchAll
rowCount does not always returns number of rows on SELECT queries, i.e. MSSQL returns -1

PSR-12 compliancy

* Ensure getConfig* functions can only return Configuration

* Cleanup after #1189

* Deprecate Configuration::getConfigList

This allows us to default to the error log, while also not breaking SSP completely. If we cannot initialize the logging handler, then we resort to the web servers log and log a critical error.

This resolves #1194

bugfix: Do not flush logs after creating a session handler, we might not have a track ID and therefore the log will be trashed.

This (finally!) resolves #1176

This is due to a recent change in master. We're no longer trying to fill the sessionID for transient sessions (doesn't even make any sense), so everywhere else where we were checking the session ID (e.g. to store the session) we need to check if it's transient instead, and give up in that case.

Also, `$instance` can actually be `null` internally.

The new `$initializing` property should signal that we are initializing the logging handler with a value of `true`, not the other way around. Also, it should only be set to `true` while we are actually initializing the logging handler.

It just doesn't make any sense. If we managed to get it from an existing cookie, it serves no purpose, as at this point we couldn't load the session anyway, and what we use to track users is the track ID, not the session ID. Additionally, since this is a transient session, we're not going to push the cookie to the browser (we might not even can do that), so it's really pointless to set the session ID.

This, additionally, was causing that the Session class would be unable to initialize and register a transient session if the issue that forced us to use a transient in the first place was an issue with the session handler (e.g. missing PHP extensions or dependencies, or connection failure to the backend, etc). Under such circumstances, the code removed here will not work either, since the session handler will continue to fail to initialize. This would cause the exception handler to jump in, completely losing control of the execution, and making it impossible to display the error to the user (since the transient session creation is never completed, it cannot be used later where it is needed in the SimpleSAML\Error\Error class).

This resolves #914.

This could happen when the handler is depending on a PHP extension, or connection to a database fails, or any other circumstance that may trigger an exception in the constructor of the session handler itself. We should be aware of this when using the session handler, therefore we update the phpdoc here to reflect that.

This resolves #1023, resolves #1093 and closes #1095.

This resolves #1176

This comment used to be true, but the behaviour was changed in 3c52b289 in order to purge old data more often.