Error creating session

[sapinva]

I've set up SimpleSAMLphp dozens of times and never had an issue. Trying to set up an idp, I'm getting "Error creating session: Headers already sent". Have checked and double checked all the config files to make sure no leading space was added, tried both 2.4 and 2.3 versions from download and git, reviewed the docs step by step and am out of ideas. Get this error on both core and admin modules. Am I missing something obvious in the config?

apache 2.4, php 8.3

log:

Oct 31 18:26:48 simplesamlphp DEBUG [TR76d229de] Localization: load domain 'messages' at '/home/sap/dev-sites/dc/idp/simplesamlphp/locales'
Oct 31 18:26:48 simplesamlphp DEBUG [TR76d229de] Trying langpath for 'en' as '/home/sap/dev-sites/dc/idp/simplesamlphp/locales/en/LC_MESSAGES/'
Oct 31 18:26:48 simplesamlphp DEBUG [TR76d229de] Localization: load domain 'core' at '/home/sap/dev-sites/dc/idp/simplesamlphp/modules/core/locales'
Oct 31 18:26:48 simplesamlphp DEBUG [TR76d229de] Trying langpath for 'en' as '/home/sap/dev-sites/dc/idp/simplesamlphp/modules/core/locales/en/LC_MESSAGES/'
Oct 31 18:26:48 simplesamlphp DEBUG [TR76d229de] Localization: load domain 'core' at '/home/sap/dev-sites/dc/idp/simplesamlphp/modules/core/locales'
Oct 31 18:26:48 simplesamlphp DEBUG [TR76d229de] Trying langpath for 'en' as '/home/sap/dev-sites/dc/idp/simplesamlphp/modules/core/locales/en/LC_MESSAGES/'
Oct 31 18:26:48 simplesamlphp ERROR [TR76d229de] Error creating session: Headers already sent.

config:

$httpUtils = new \SimpleSAML\Utils\HTTP();

$config = [
    'baseurlpath' => 'http://idp/sso/',
    'application' => [
    ],
    'cachedir' => 'cache',
    'loggingdir' => 'log',
    'datadir' => 'data',
    'tempdir' => '/tmp/SimpleSAMLphp',
    'certdir' => 'cert/',
    'technicalcontact_name' => 'Administrator',
    'technicalcontact_email' => 'n...@example.org',
    'timezone' => 'America/New_York',
    'secretsalt' => '123lkj123lkj123lkj123',
    'auth.adminpassword' => 'secret',
    'admin.protectmetadata' => false,
    'admin.checkforupdates' => true,
    'trusted.url.domains' => [],
    'trusted.url.regex' => false,
    'enable.http_post' => false,
    'assertion.allowed_clock_skew' => 180,
    'debug' => [
        'saml' => false,
        'backtraces' => true,
        'validatexml' => false,
    ],
    'showerrors' => false,
    'errorreporting' => false,
    'logging.level' => SimpleSAML\Logger::DEBUG,
    'logging.handler' => 'file',
    'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER,
    'logging.processname' => 'simplesamlphp',
    'logging.logfile' => 'simplesamlphp.log',
    'statistics.out' => [
    ],
    'proxy' => null,
    'database.dsn' => 'mysql:host=localhost;dbname=idp',
    'database.username' => 'idp',
    'database.password' => 'idp',
    'database.options' => [],
    'database.prefix' => '',
    'database.driver_options' => [],
    'database.persistent' => false,
    'database.secondaries' => [
    ],
    'enable.saml20-idp' => true,
    'enable.adfs-idp' => false,
    'module.enable' => [
        'exampleauth' => true,
        'core' => true,
        'admin' => true,
        'saml' => true,
    ],
    'session.duration' => 8 * (60 * 60), // 8 hours.
    'session.datastore.timeout' => (4 * 60 * 60), // 4 hours
    'session.state.timeout' => (60 * 60), // 1 hour
    'session.cookie.name' => 'SimpleSAMLSessionID',
    'session.cookie.lifetime' => 0,
    'session.cookie.path' => '/',
    'session.cookie.domain' => '',
    'session.cookie.secure' => false,
    'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
    'session.phpsession.cookiename' => 'SimpleSAML',
    'session.phpsession.savepath' => 'data',
    'session.phpsession.httponly' => true,
    'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
    'session.rememberme.enable' => false,
    'session.rememberme.checked' => false,
    'session.rememberme.lifetime' => (14 * 86400),
    'memcache_store.servers' => [
        [
            ['hostname' => 'localhost'],
        ],
    ],
    'memcache_store.prefix' => '',
    'memcache_store.expires' => 36 * (60 * 60), // 36 hours.
    'language.available' => [
        'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb',
        'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt_BR', 'tr', 'ja', 'zh', 'zh_TW',
        'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st',
    ],
    'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'],
    'language.default' => 'en',
    'language.parameter.name' => 'language',
    'language.parameter.setcookie' => true,
    'language.cookie.name' => 'language',
    'language.cookie.domain' => '',
    'language.cookie.path' => '/',
    'language.cookie.secure' => false,
    'language.cookie.httponly' => false,
    'language.cookie.lifetime' => (60 * 60 * 24 * 900),
    'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
    'theme.use' => 'default',
    'template.auto_reload' => false,
    'production' => false,
    'assets' => [
        'salt' => 'assets.salt.default',
        'caching' => [
            'max_age' => 86400,
            'etag' => false,
        ],
    ],
    'idpdisco.enableremember' => true,
    'idpdisco.rememberchecked' => true,
    'idpdisco.validate' => true,
    'idpdisco.extDiscoveryStorage' => null,
    'idpdisco.layout' => 'dropdown',
    'authproc.idp' => [
        30 => 'core:LanguageAdaptor',
        50 => 'core:AttributeLimit',
        99 => 'core:LanguageAdaptor',
    ],
    'authproc.sp' => [
        90 => 'core:LanguageAdaptor',
    ],
    'metadatadir' => 'metadata',
    'metadata.sources' => [
        ['type' => 'flatfile'],
    ],
    'metadata.sign.enable' => false,
    'metadata.sign.privatekey' => null,
    'metadata.sign.privatekey_pass' => null,
    'metadata.sign.certificate' => null,
    'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
    'store.type' => 'sql',
    'store.sql.dsn' => 'sqlite:/home/sap/dev-sites/dc/idp/simplesamlphp/data/db.sq3',
    'store.sql.username' => null,
    'store.sql.password' => null,
    'store.sql.prefix' => 'SimpleSAMLphp',
    'store.sql.options' => [],
    'store.redis.host' => 'localhost',
    'store.redis.port' => 6379,
    'store.redis.username' => '',
    'store.redis.password' => '',
    'store.redis.tls' => false,
    'store.redis.insecure' => false,
    'store.redis.ca_certificate' => null,
    'store.redis.certificate' => null,
    'store.redis.privatekey' => null,
    'store.redis.prefix' => 'SimpleSAMLphp',
    'store.redis.mastergroup' => 'mymaster',
    'store.redis.sentinels' => [],
    'proxymode.passAuthnContextClassRef' => false,
];

idp hosted meta:

$metadata['http://idp'] = [
    'host' => '__DEFAULT__',
    'privatekey' => 'server.pem',
    'auth' => 'example-userpass',
];

[Björn Krellner]

Hi,

sapinva schrieb am Freitag, 31. Oktober 2025, um 23:43 Uhr:
> Trying to set up an idp, I'm getting "Error creating session: Headers
> already sent". Have checked and double checked all the config files to
> make sure no leading space was added

Also checked for absence of byte-order mark (BOM)? Some editors add it
(EF BB BF as first three bytes for UTF-8, e.g.).

Ciao
Björn

--
Björn Krellner
Facharbeitsgruppe Datenkommunikation
Universitätsrechenzentrum
 
Technische Universität Chemnitz
Straße der Nationen 62 | R. A11.302.1
09111 Chemnitz
Germany
Tel: +49 371 531-36524
 
bjoern....@hrz.tu-chemnitz.de
https://www.tu-chemnitz.de/

[sapinva]

Pretty sure there is no bom...

sap@venus:idp$ grep -rl $'\xEF\xBB\xBF'.
simplesamlphp/vendor/gettext/languages/UNICODE-LICENSE.txt
simplesamlphp/vendor/phpstan/phpstan/phpstan.phar
simplesamlphp/docs/resources/simplesamlphp-googleapps/googleapps-ssoconfig.png

I made another config (again copied from config.php.dist) with minimal changes and it's fine, so I know it was due to something in the config. Only significant change in the bad one was logging to a file. I suspect it's a bug. Xdebug trace is about 70mb, I may take a dive into that later to satisfy my curiosity.

[sapinva]

Never did find the problem, but a new config from scratch fixed it. Strangely it might be something with the logging set up.

[Tim van Dijen]

You may find a hint in your PHP error log. I suspect a fatal error being logged there.

- Tim

Op maandag 3 november 2025 om 21:12:30 UTC+1 schreef sap...@gmail.com:

[sapinva]

Nothing in the error log.

[sapinva]

There is something more insidious going on. I set up another site, copied the same simplesamlphp dir that is already working on one site to it and got the same error (failure to set the cookie because headers already sent). After getting to the point where I no longer trusted what I was seeing, I opened up the welcome page in a different browser and there was no error, then was able to login to see the admin page. So I went back to the other browser, opened the developer console and did a hard reload w/ clear cache and still same error. It's apparently for a reason that an entire docs page is dedicated to "no state". That really should not happen. Maybe something is being cached that the browser never clears, like a redirect? I would expect the app to set the cookie on the first visit no matter what, but per the logs that simply isn't happening. I'm betting if I wait a few days, it will work in the first browser.

[Tim van Dijen]

What could you see in the browser console?
Apparently the browser is refusing to set the cookie.  It is a know fact that browsers act differently in some situations.

Op dinsdag 4 november 2025 om 21:15:27 UTC+1 schreef sap...@gmail.com:

[Tim van Dijen]

Also, php fatal errors, depending on your setup, may end up in your webserver's logs or even in the system log.

Op woensdag 5 november 2025 om 08:46:23 UTC+1 schreef Tim van Dijen:

[sapinva]

The browser is not refusing, there was no cookie offered in the response headers. The debug messages aren't lying when it says the headers are already sent.