Dear Jaime,
thank you for your response.
On Fri, 5 Aug 2016, Jaime Perez Crespo wrote:
> > Aug 3 10:58:49 servername simplesamlphp[9029]: 3 [55f0db324c] SimpleSAML_Error_Exception: Error 2 - Unknown: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
> > Aug 3 10:58:49 servername simplesamlphp[9029]: 3 [55f0db324c] Backtrace:
> > Aug 3 10:58:49 servername simplesamlphp[9029]: 3 [55f0db324c] 1 /var/lib/simplesamlphp/instances/simplesamlphp-abadms/www/_include.php:83 (SimpleSAML_error_handler)
> > Aug 3 10:58:49 servername simplesamlphp[9029]: 3 [55f0db324c] 0 [builtin] (N/A)
> > Aug 3 10:58:49 servername simplesamlphp[9029]: 3 [55f0db324c] SimpleSAML_Error_Exception: Error 2 - Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php5/sessions)
>
> This is likely to be an issue. Have you verified that your web server can write new files to that path?
*** I think, the webserver can write to this location:
drwx-wx-wt 2 root root 12288 Aug 8 16:03 /var/lib/php5/sessions/
and there are many sess_* files, but the IDs are shorter then what I found in
SimpleSAML\Utils\Random::generateID():
-rw------- 1 www-data www-data 3652 Aug 8 16:02 sess_f7c2a7237eb5795e971a34cb733283e8
-rw------- 1 www-data www-data 3652 Aug 8 16:02 sess_fd7c68e90c060864641b859c7fd97006
-rw------- 1 www-data www-data 3652 Aug 8 16:02 sess_fe0f6824b67c03fc34a48645169b8c33
-rw------- 1 www-data www-data 3652 Aug 8 16:02 sess_ff2298b9211fe47ccbcff0116e2719f7
> > The PHP5 checks if the session ID contains only allowed characters, but since
> > SSP 1.14.5 the function SimpleSAML_SessionHandlerPHP::setCookie() sets to PHP
> > Session ID (using session_id() function) to own random generated ID from
> > SimpleSAML\Utils\Random::generateID(), which begins with "_”.
>
> No, it doesn’t. This is the method that generates an ID for the session, the
> one that setCookie() is setting latter on by calling session_id():
>
>
> /**
> * Create a new session id.
> *
> * @return string The new session id.
> */
> public function newSessionId()
> {
> // generate new (secure) session id
> $sessionId = bin2hex(openssl_random_pseudo_bytes(16));
> SimpleSAML_Session::createSession($sessionId);
>
> return $sessionId;
> }
*** OK, I have found this method in SessionHandlerPHP.php and
SessionHandlerCookie.php, which calls createSession() from Session.php and
this createSession() uses the $sessionId in PHP array:
self::$sessions[$sessionId] = null;
But I mean code from www/authmemcookie.php
--------------------------------------------------
33 // generate session id and save it in a cookie
34 $sessionID = SimpleSAML\Utils\Random::generateID();
35
36 $cookieName = $amc->getCookieName();
37
38 $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
39 $sessionHandler->setCookie($cookieName, $sessionID);
--------------------------------------------------
$sessionID is generated in SimpleSAML\Utils\Random::generateID() and then is
called $sessionHandler->setCookie($cookieName, $sessionID) and this sets PHP
Session ID in SessionHandlerPHP.php:
--------------------------------------------------
346 if (session_id() !== '') {
347 // session already started, close it
348 session_write_close();
349 }
350
351 session_id($sessionID);
352 $this->sessionStart();
--------------------------------------------------
At least, if I have inserted some debug outputs before line 351 and after 351
to write the PHP Session ID direct from PHP using session_id(), then before
351 it writes shorter PHP-valid PHP session ID and after 351 it writes longer
PHP-invalid PHP session ID with "_" at the beginning:
--------------------------------------------------
346 if (session_id() !== '') {
347 // session already started, close it
348 session_write_close();
349 }
350
351 if ($f=fopen("php://stderr","w")) { fwrite($f,sprintf("before Session ID:%s\n",session_id())); fclose($f); };
352 session_id($sessionID);
353 if ($f=fopen("php://stderr","w")) { fwrite($f,sprintf("after Session ID:%s\n",session_id())); fclose($f); };
354 $this->sessionStart();
--------------------------------------------------
Generates following output in the error log (apache2/error.log):
--------------------------------------------------
before Session ID:
after Session ID:a29ed02d990b010739a789feaf1d4ac9
before Session ID:a29ed02d990b010739a789feaf1d4ac9
after Session ID:_8e109d2d0e8028d01e46810505a3c189939b44ccb9
[Mon Aug 08 16:30:10.682702 2016] [:error] [pid 9356] [client
127.0.0.1:37270] PHP Warning: Unknown: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0, referer:
https://IDP-SERVER/module.php/core/loginuserpass.php?AuthState=_aa7458296a1b2174d06550dc66a7fe8bc8c9b5d8b0%3Ahttps%3A%2F%2FIDP-SERVER%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DSP-SERVER%26cookieTime%3D1470666583%26RelayState%3Dhttps%253A%252F%252FSP-SERVER%252Fauth%252Fauthmemcookie.php
[Mon Aug 08 16:30:10.684209 2016] [:error] [pid 9356] [client
127.0.0.1:37270] PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php5/sessions) in Unknown on line 0, referer:
https://IDP-SERVER/module.php/core/loginuserpass.php?AuthState=_aa7458296a1b2174d06550dc66a7fe8bc8c9b5d8b0%3Ahttps%3A%2F%2FIDP-SERVER%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3DSP-SERVER%26cookieTime%3D1470666583%26RelayState%3Dhttps%253A%252F%252FSP-SERVER%252Fauth%252Fauthmemcookie.php
--------------------------------------------------
The first "before Session ID" is empty while this is first access to this
site, then first "after Session ID" shows PHP-valid PHP generated session ID.
The second "before Session ID" shows still PHP-valid PHP session ID, but then the
code sets PHP-invalid PHP sessions ID.
And thea PHP session file for PHP-valid session ID does exist in the
/var/lib/php5/sessions:
-rw------- 1 www-data www-data 3652 Aug 8 16:30 sess_a29ed02d990b010739a789feaf1d4ac9
If I replace the underscore in generateID() with "a", then I can see
following output in apache2/error.log
--------------------------------------------------
before Session ID:
after Session ID:6086b10babf284f3c82e961dd318a415
before Session ID:6086b10babf284f3c82e961dd318a415
after Session ID:a135885e6eddfde6c0a9e7d569f4ae0f3f24b0c49eb
--------------------------------------------------
There is no error about invalid session id and about writing to
/var/lib/php5/sessions. So the session ID comes really from generateID() and
not from newSessionId().
And there exist the PHP session files too for both session IDs in
/var/lib/php5/sessions:
--------------------------------------------------
-rw------- 1 www-data www-data 3652 Aug 8 17:04 sess_6086b10babf284f3c82e961dd318a415
-rw------- 1 www-data www-data 3751 Aug 8 17:04 sess_a135885e6eddfde6c0a9e7d569f4ae0f3f24b0c49eb
--------------------------------------------------
> Well, if this was an issue as you are describing it, SimpleSAMLphp would be
> unusable with PHP sessions. I find it unlikely then that nobody mentioned
> this so far, if that was the case. Furthermore, I’ve tested these last
> releases extensively with both the PHP and Memcache session handlers, since
> there were a lot of changes there fixing bugs, and they work just fine. I
> have just verified indeed that the session IDs generated do not contain any
> underscores and that sessions work fine when PHP is managing them.
*** We use the "Auth MemCookie" with Apache "Auth MemCookie" Module as
described in "SimpleSAMLphp Advanced Features" / "Auth MemCookie":
https://simplesamlphp.org/docs/1.14/simplesamlphp-advancedfeatures#section_5
Is this maybe unsupport now? Should we use some other solution?
> My guess is that you have some collision with the session cookie between
> SimpleSAMLphp and some other application, causing trouble to SimpleSAMLphp.
*** There is no other application. Original apache on debian installation,
with "It works!" default static HTML page, whole <Location /> protected with:
Alias /auth /var/lib/simplesamlphp/instances/simplesamlphp-sso-test/www
<Location /auth>
Order allow,deny
allow from all
Satisfy any
</Location>
<Location />
Auth_memCookie_CookieName SimpleSAMLSessionID
Auth_memCookie_Memcached_Configuration "--SERVER=
127.0.0.1:11211"
Auth_memCookie_SessionTableSize 20
Auth_memCookie_Authoritative on
Auth_memCookie_SetSessionHTTPHeader on
ErrorDocument 401 "/auth/authmemcookie.php"
AuthType Cookie
AuthName "My Login"
require valid-user
</Location>
Is this configuration still correct?
> Since these changes were introduced in version 1.14.5, it makes full sense
> that you are seeing the issue after upgrading to 1.14.5 or later. That
> doesn’t mean though this is an issue in SimpleSAMLphp. On the contrary, it
> seems it’s an issue in your setup, that didn’t show up before just because
> prior to 1.14.5, SimpleSAMLphp did not bother to try to save the
> applications session.
>
> I’d review the configuration and the general architecture of your system.
> Also, tracing the HTTP exchange with something like the SAML tracer would
> help. If you see a cookie with the same name as your SimpleSAMLphp session
> cookie being set (the "Set-Cookie" HTTP header), prepended with an
> underscore, take a look at the URI that originated that cookie being set.
> That’s probably the source of your trouble.
*** As the sso-test host does not use any PHP application using PHP sessions,
the only possibility is www/authmemcookie.php. As written above, is some
problem in the www/authmemcookie.php code? Should be this this updated
somehow?
May I show you the browser path? Does it help?
First access to SP:
>>> URL=
https://sso-test.DOMAIN/
<<< Set-Cookie=PHPSESSID=a4b360700531b2f918b2d32f14653b2b; path=/
This PHPSESSID cookie is set in requireAuth() from www/authmemcookie.php:
--------------------------------------------------
24 // load Auth MemCookie configuration
25 $amc = SimpleSAML_AuthMemCookie::getInstance();
26
27 $sourceId = $amc->getAuthSource();
28 $s = new SimpleSAML_Auth_Simple($sourceId);
29
30 // check if the user is authorized. We attempt to authenticate the user if not
31 $s->requireAuth();
--------------------------------------------------
and then it redirects to SSO.
After successfull login SSO redirects to SP:
>>> URL=
https://sso-test.DOMAIN/auth/module.php/saml/sp/saml2-acs.php/sso-test.DOMAIN-sp
>>> Cookie
>>> PHPSESSID=a4b360700531b2f918b2d32f14653b2b
<<< Set-Cookie
<<< PHPSESSID=a4b360700531b2f918b2d32f14653b2b; path=/
<<< SimpleSAMLAuthToken=a2d30d65fd2135d097b380a246386b71dd492b02df4; path=/
<<< Location=
https://sso-test.DOMAIN/auth/authmemcookie.php
saml2-acs.php redirects to authmemcookie.php again with two PHPSESSID:
>>> URL=
https://sso-test.DOMAIN/auth/authmemcookie.php
>>> Cookie
>>> PHPSESSID=a4b360700531b2f918b2d32f14653b2b
>>> SimpleSAMLAuthToken=a2d30d65fd2135d097b380a246386b71dd492b02df4
<<< Set-Cookie
<<< PHPSESSID=a4b360700531b2f918b2d32f14653b2b; path=/
<<< PHPSESSID=a72dee9c023ff0c11653ca07ac6f771c2ab78e1d81e; path=/
<<< Location=
https://sso-test.DOMAIN/auth/authmemcookie.php
The second PHPSESSID is set in setCookie() in www/authmemcookie.php:
--------------------------------------------------
38 $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
39 $sessionHandler->setCookie($cookieName, $sessionID);
--------------------------------------------------
and then it redirects again to authmemcookie.php:
>>> URL=
https://sso-test.DOMAIN/auth/authmemcookie.php
>>> Cookie
>>> PHPSESSID=a72dee9c023ff0c11653ca07ac6f771c2ab78e1d81e
>>> SimpleSAMLAuthToken=a2d30d65fd2135d097b380a246386b71dd492b02df4
<<< Set-Cookie
<<< PHPSESSID=a72dee9c023ff0c11653ca07ac6f771c2ab78e1d81e; path=/
<<< PHPSESSID=a535fcd4fe2beaa36ade7819a075b37c2ffaa53c153; path=/
<<< Location=
https://sso-test.DOMAIN/auth/authmemcookie.php
and again and again, everytime setting new ID for PHPSESSID:
>>> URL=
https://sso-test.DOMAIN/auth/authmemcookie.php
>>> Cookie
>>> PHPSESSID=a535fcd4fe2beaa36ade7819a075b37c2ffaa53c153
>>> SimpleSAMLAuthToken=a2d30d65fd2135d097b380a246386b71dd492b02df4
<<< Set-Cookie
<<< PHPSESSID=a535fcd4fe2beaa36ade7819a075b37c2ffaa53c153; path=/
<<< PHPSESSID=a1f6142cff647aedc9e5bf6754ba58aef767a52326e; path=/
<<< Location=
https://sso-test.DOMAIN/auth/authmemcookie.php
>>> URL=
https://sso-test.DOMAIN/auth/authmemcookie.php
>>> Cookie
>>> PHPSESSID=a1f6142cff647aedc9e5bf6754ba58aef767a52326e
>>> SimpleSAMLAuthToken=a2d30d65fd2135d097b380a246386b71dd492b02df4
<<< Set-Cookie
<<< PHPSESSID=a1f6142cff647aedc9e5bf6754ba58aef767a52326e; path=/
<<< PHPSESSID=a43e6c16b0e39b558a2315f759d861c183be4558965; path=/
<<< Location=
https://sso-test.DOMAIN/auth/authmemcookie.php
Do you have any idea? I am not sure, how it should works. Should it really set
other PHPSESSID oder should it use some other Cookie for SSP Session?
Thank you very much for your help. I will try to search myself, what could be
the error, if we have some problem in config.
Regards,
Robert Wolf.