Download & Extend
Shibboleth authentication » Issues

warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in shib_auth.module on line 79

Posted by smithmb on October 23, 2009 at 12:48pm
Project:Shibboleth authentication
Version:6.x-3.3
Component:Code
Category:bug report
Priority:critical
Assigned:Unassigned
Status:needs work

Issue Summary

Hello --

If I let both my SP and IdP session expire, and then visit my drupal site, I'm getting the following error:

* Your session is expired. Please log in again!
* warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in /siteroot/modules/shib_auth/shib_auth.module on line 79.

Login or register to post comments

Comments

#1

Posted by smithmb on November 10, 2009 at 1:44pm
Priority:normal» critical

Marking critical as there's a giant red drupal error every time this happens, which is basically at least once every day for me.

#2

Posted by shafter on November 10, 2009 at 2:18pm
Priority:critical» normal

I set it back to normal, because showing an error if the session was destroyed is a feature, not a bug. A new security feature makes the module to destroy the session twice in this case, that's why it displays an error message. The solution is ready, and will be commited along with other features and fixes soon.
If you want a quick solution, cut the contents of line 70 paste in line 60 in shib_auth.module, and modify line 71, write elseif instead of if.

Thanks,
shafter - NIIF member

#3

Posted by smithmb on November 12, 2009 at 7:25pm

Thanks!

#4

Posted by smithmb on December 18, 2009 at 1:22pm
Priority:normal» critical

Hi -- your instructions don't match my source file from the Oct 20th release. A Drupal-generated message might be a feature, but a PHP warning is probably always a bug in a project like Drupal. We've been getting these PHP warnings for a month now :(.

#5

Posted by kambiz.aghaiepour on January 6, 2010 at 4:28pm

ETA on a fix? Your session is expired seems ok to me ... but the :

warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in /usr/share/drupal/modules/shib_auth/shib_auth.module on line 79.

is a bit much on the site.

#6

Posted by bajnokk on January 7, 2010 at 4:19pm

A fix was recently committed to the CVS, I hope it can fix this. Could you please test it?

#7

Posted by jastraat on September 13, 2010 at 9:25pm

The fix worked for me. (I've attached a patch file from the CVS log for others who are interested in testing it.

AttachmentSize
session_destroy.patch 1.76 KB

#8

Posted by markusbroman on September 27, 2010 at 1:48pm

Hi. When will the next version of Shibboleth authentication be released? Im getting the "warning: session_destroy()"-message all the time and I don't know if its safe to use the dev version. But I see now that its been a while since the module was updated. So, any plans for a new release?

// Markus

#9

Posted by Kleve on September 27, 2010 at 1:54pm

Hi. I have the same issue. /Andreas

#10

Posted by bajnokk on January 25, 2011 at 3:08pm
Status:active» needs review

Can you guys please test 4.0-rc1? It contains the fix, hopefully.

#11

Posted by skottler on August 22, 2011 at 1:29pm
Status:needs review» needs work

+++ /cvs/drupal/contributions/modules/shib_auth/shib_auth.module 2010/01/07 15:06:36 1.3.4.5.2.32
@@ -66,22 +66,23 @@
+    if ($_SESSION['uname'] != $uname) { ¶

Remove trailing space.

+++ /cvs/drupal/contributions/modules/shib_auth/shib_auth.module 2010/01/07 15:06:36 1.3.4.5.2.32
@@ -66,22 +66,23 @@
+  }
+  else {
+      $_SESSION['uname'] = $uname;

This conforms to coding standards much more closely.

I'm really not at all sure how this patch would make it work because its a code style patch, but I've review it anyhow. I don't approve of it getting committed as part of this issue.

#12

Posted by shafter on August 23, 2011 at 6:44am

I can't see the point of coding standarizing an old revision, version 3.3 is not supported anymore.

nobody click here