1

Code example:

<?php

require_once(DRUPAL_ROOT . '/simplesaml/lib/_autoload.php');
session_write_close();
session_set_save_handler(new SessionHandler(), true);
$as = new \SimpleSAML\Auth\Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();

$samlSession = \SimpleSAML\Session::getSessionFromRequest();
$samlSession->cleanup();


$_SESSION['saml'] = $attributes; // <-- this does not work, since altering $_SESSION at this point is useless. reading out $_SESSION on a another page does not have anything saved after calling the SimpleSAMLphp functions

We are using SimpleSAMLphp on our website as SP to use with a Shibboleth IDP. The server cant run the apache modules or memcache so we need to use PHP sessions. On the simplesamlphp documentation it says:

If we are using PHP sessions in SimpleSAMLphp and in the application we are protecting, SimpleSAMLphp will close any existing session when invoked for the first time, and its own session will prevail afterwards. If you want to restore your own session after calling SimpleSAMLphp, you can do so by cleaning up the session like this:

$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();

If you don't cleanup SimpleSAMLphp's session and try to use $_SESSION afterwards, you won't be using your own session and all your data is likely to get lost or inaccessible.

The problem is, that is exactly the issue we are facing. Whatever I write into $_SESSION after loading the SSP files is lost at the new page request.

Now, we are using Drupal 7. I dont know how to implement the documentation code in a Drupal environment:

// use custom save handler
session_set_save_handler($handler); // what is this? what is $handler?
session_start();

// close session and restore default handler
session_write_close();
session_set_save_handler(new SessionHandler(), true);

// use SimpleSAML\Session
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();
session_write_close();

// back to custom save handler
session_set_save_handler($handler); // how do i get the Drupal handler?
session_start();

So how do I implement the session swapping in a Drupal 7 environment? Or generally, how do I get a session handler/ reference?

Drupal itself does this at some point in session.inc:

session_set_save_handler('_drupal_session_open', '_drupal_session_close', '_drupal_session_read', '_drupal_session_write', '_drupal_session_destroy', '_drupal_session_garbage_collection');

But calling any Drupal session function didnt work, $_SESSION was always unwritable (or rather didnt actually save) after using SimpleSAMLphp.

Alex
  • 9,911
  • 5
  • 33
  • 52

1 Answers1

0

Edited:

If you are not using SimpleSAMLphp's stand-alone web UI, this might work:

require_once(DRUPAL_ROOT . '/simplesaml/lib/_autoload.php');

$as = new \SimpleSAML\Auth\Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();

$samlSession = \SimpleSAML\Session::getSessionFromRequest();
$samlSession->cleanup();
    
$_SESSION['saml'] = $attributes;

It should keep your original session handler (which would also be used by SSP), then reload the old session ID by restoring previous session id and name.

Original answer:

Looking at the SimpleSAMLphp session handler's code it should already recover the previous session - If there are any active in the moment of invoking SimpleSAMLphp.

I would say that what happens here is that you manually closed the session by using session_write_close(); before SimpleSAMLPhp started theirs, so when you closed SimpleSAMLphp's session, the previous one could not be restored.

I would try to do as follows (I assumed it is the code you are using):

// If I recall well, Drupal already starts session for you, 
// but if it's not the case in your configuration, go ahead and uncomment following lines
// session_set_save_handler($handler);
// session_start();

// use SimpleSAML\Session
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();

// Just resume your $_SESSION use
$_SESSION['myAttribute'] = 'myValue';
Héctor Paúl Cervera-García
  • 608
  • 12
  • 22
  • ssp does the closing in their tutorial though. if i am correct, this function just writes the variables into the session file on the server. – Alex Nov 13 '20 at 17:23
  • You are right, then my question is: are you using the SimpleSAMLphp's stand-alone web UI? Otherwise the doc states that this might not be a problem. `session_write_close();` writes variables into the session storage and ends the session -> https://www.php.net/manual/en/function.session-write-close.php – Héctor Paúl Cervera-García Nov 13 '20 at 22:14
  • Edited my answer if the answer to my question is no. – Héctor Paúl Cervera-García Nov 13 '20 at 22:18