When unserializing the session fails, the handler should return null instead of false. Additionally, SimpleSAML_Session::load() should make sure that it got an instance of SimpleSAML_Session, to avoid any misbehaving handlers to generate an issue.

This resolves #616.

Use it when constant-time comparisons are needed to avoid side-channel attacks.

This way, we avoid completely any possible XXE attack, and simplify the code as we don't need to deal directly with the DOM. The entire AttributeValue will be saved to the backend as XML, and then recovered back when unserializing.

A recent change in simplesamlphp/saml2#60 made the library return a DOMNodeList object when the contents of the AttributeValue element are not text. This lead to a bug, since the returned value is not serializable, and when storing it in the session it will go away as soon as we serialize the session to store it in the backend (whatever that is). This is always, as the SP will always redirect to the URL originating authentication. The result was an empty DOMNodeList object where there should be some value.

This commit makes the SimpleSAML_Session to implement the Serializable interface. When obtaining the attributes during login (doLogin() method), the code will now look for DOMNodeList objects, and dump them as a string with the XML representation of their contents in the 'RawAttributes' array inside $this->authData[$authority]. This allows us to parse the XML back when unserializing, and restore the original DOMNodeList object as the value of the attribute.

The issue was reported originally in the mailing list by Enrico Cavalli, affecting eduPersonTargetedID. This resolves #424.

Revert the change of the signature of SimpleSAML_Session::useTransientSession(). Not needed after all.

bugfix: Make sure SimpleSAML_Session::getSessionFromRequest() always raises an exception when a transient session is used due to a misconfiguration or a temporary failure fetching an existing session.

Transient sessions are just an exceptional event, and they shouldn't be treated as regular sessions. Therefore, if we are trying to get the current session and end up with a transient one, that's because an error occurred and we should raise an exception. Since exceptions due to secure cookies trying to be set via an insecure channel are likely to be misconfigurations, we treat them like that, raising a SimpleSAML\Error\CriticalConfigurationError.

Additionally, we capture exceptions in the SimpleSAML\Logger::flush() method, ensuring the error reported in #413 doesn't happen again.

This resolves #356.

If it fails for some reason, we clear all the authentication-related data from the session, log an error, and throw again the exception, so that the user does not continue as if anything happened when the auth token is not set.

Related to previous commits. The SimpleSAML_Session::updateSessionCookies() updates both the session cookie and the auth token. For the latter, it uses the setCookie() method from the session handler, while it should use the SimpleSAML\Utils\HTTP::setCookie() method instead.

Historically, SimpleSAML_SessionHandler::newSessionId() has also created the session, sending the cookies to the browser. This is problematic both because given the name of the method one would not assume such behaviour, and also because even for transient sessions the handler would then try to set cookies. When we are using a transient session, it is likely to be because we cannot set cookies or because there was a temporary error when loading the session. If we try to set the cookies even for transient sessions, we could either get an error because cookies cannot be set, or overwrite the previous session cookies with transient ones, trashing a legitimate session in case a temporary error occurs.

As a side effect, this can also cause behaviours like the one described in issue #413. There's no point in trying to set the cookies when it's not possible, so we shouldn't even try, and save us the errors.

To fix this, we made SimpleSAML_SessionHandler::setCookie() abstract, forcing each extending class to implement it. The former implementation is moved to SimpleSAML_SessionHandlerCookie, and the SimpleSAML_SessionHandlerPHP gets a new method that starts the session, effectively sending the cookie. SimpleSAML_Session would then be responsible to call the setCookie() method of the session handler when creating a regular session, and skip it when creating a transient one. This introduces a bug, since SimpleSAML_Session was trying to set the auth token cookie calling the same setCookie() method in the session handler. We fixed that by using SimpleSAML\Utils\HTTP::setCookie() instead, in 8756835b.

This resolves #413.

If we just called isset() on SimpleSAML_Session::$instance, and it returned false as we continued execution, it makes no sense to get the "previous" instance since it will always be null. We can just check that $instance is not null later.

This way we can pass an exception that made us use transient sessions, and get the method to throw that exception after getting the transient session.

SimpleSAML_Session should set the auth token using the SimpleSAML\Utils\HTTP::setCookie(), instead of the setCookie() method provided by session handlers.

The SimpleSAML_SessionHandler::setCookie() method should be used only to set the session cookie, not random cookies. If we want cookies to have the same parameters as session cookies, we can always get the session parameters calling SimpleSAML_SessionHandler::getSessionParams() and pass them to SimpleSAML\Utils\HTTP::setCookie().

Add a method to SimpleSAMLphp_SessionHandlerPHP to restore a session existing previously to our own session. This can be used in SimpleSAML_Session to restore the PHP session status previous to calling our API, while also guaranteeing that our session is correctly saved. The documentation has been updated to reflect this and recommend how to deal with conflicting PHP sessions. This closes #244 and resolves #349.

Prevent the SimpleSAML_Logger class from creating loops while trying to get the track ID from the session. It must now be set manually by calling SimpleSAML_Logger::setTrackID(). Also allow SimpleSAML_Memcache to differentiate between a key not found in memcache and a request to memcache failed. If all servers are down, an exception is thrown and the user informed about the internal error. This hopefully resolves #264.

Bugfix: if there's no session, getCookieSessionId() cannot return a session identifier, therefore there's no session we can return. This resolves #256.

Move SimpleSAML_Utilities::generateID() to SimpleSAML_Utils_Random::generateID(). Deprecate the former and schedule it for removal in 2.0.

Stop calling SimpleSAML_Session::getAttributes() in SimpleSAML_Error_Error class. Use an alternate way to try to fetch user's mail.

Remove error handling code when session fails to initialise in SimpleSAML_Session::getSessionFromRequest().