I’m encountering a problem with simpleSAMLPhp where it continuously generates session files whenever I initiate an SAML call (Infinite loop). Upon investigation, I came across this error message:
SimpleSAMLErrorException: Warning - session_regenerate_id(): Session ID cannot be regenerated when there is no active session at /app/speedbooking/application/simplesamlphp/src/SimpleSAML/SessionHandlerPHP.php:141
and this 2 warnings:
Secure session ID generation failed, falling back to custom ID generation.
and
Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.
What I discovered is that the application’s state is being stored in one session file, but when we receive the IdP response, it attempts to load it from a different session file, as you can see in logs.
Apr 29 15:56:41 simplesamlphp DEBUG [60adaaaa0a] Saved state: '_b79ed93f9b6fd7b3fad37df6d95bcf04aa5beee455'
Apr 29 15:56:50 simplesamlphp WARNING [5d85bd4490] Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.
I’m puzzled as to how this could occur, considering that both my application and simpleSAMLPhp utilize the PHP session handler. My PHP version is 8.2, and the version of simpleSAMLPhp is 2.0.6.
I use a simple php code:
Index.php application entry point:
<?php
include_once './init.php';
echo "Session Id: " . session_id();
init.php:
<?php
session_start();
ws.php:
include_once './init.php';
$fncname = $_REQUEST['action'];
$fncname();
function loginUsingOkta() {
ssoLogin();
echo "Session data: " . json_encode($_SESSION);
header("Location: /");
exit();
}
function ssoLogin() {
require_once './simplesamlphp/src/_autoload.php';
// Close session and restore default handler
session_write_close();
session_set_save_handler(new SessionHandler(), true);
// Authenticate against the 'default-sp' identity provider
$auth = new SimpleSAMLAuthSimple('default-sp');
if (!$auth->isAuthenticated()) {
$auth->requireAuth();
} else {
// We are authenticated, let's get the attributes
$attributes = $auth->getAttributes();
// Use SimpleSAMLSession
$session = SimpleSAMLSession::getSessionFromRequest();
$session->cleanup();
session_write_close();
// Back to custom save handler
session_set_save_handler(new SessionHandler(), true);
ini_set('session.save_path', './tmp/sessions');
session_start();
$_SESSION['email'] = $attributes['email'][0];
}
}
This issue is caused when a use session.cookie_path = “./tmp/sessions” in php.ini, i use a standard simpleSAMLPhp config,
Please can any one help me to understand and resolve this issue
Thanks
donTouzi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.