SAML: Headers Already Sent Error

Ian_M · September 13, 2018, 4:20pm

Hi All,
We’ve just upgraded to 1.8.11, and moved to PHP 7. Now SAML Authentication isn’t working. The SAMLResponse comes in OK, but the application crashes when trying to generate a new session for the authenticated user, with the error 'session_regenerate_id(): Cannot regenerate session id - headers already sent

The stack trace is:

#0 [internal function]: Slim\Slim::handleErrors(2, ''session_regener...'', ''F:\<Our Site>...'', 289, Array)
#1 F:\<Our Site>\lib\Helper\Session.php(289): session_regenerate_id(true)
#2 F:\<Our Site>\lib\Middleware\SAMLAuthentication.php(298): Xibo\Helper\Session->regenerateSessionId()
#3 [internal function]: Xibo\Middleware\SAMLAuthentication->Xibo\Middleware\{closure}()
#4 F:\<Our Site>\vendor\slim\slim\Slim\Route.php(468): call_user_func_array(Object(Closure), Array)
#5 F:\<Our Site>\vendor\slim\slim\Slim\Slim.php(1355): Slim\Route->dispatch()
#6 F:\<Our Site>\vendor\slim\slim\Slim\Middleware\Flash.php(85): Slim\Slim->call()
#7 F:\<Our Site>\vendor\slim\slim\Slim\Middleware\MethodOverride.php(92): Slim\Middleware\Flash->call()
#8 F:\<Our Site>\lib\Middleware\Actions.php(160): Slim\Middleware\MethodOverride->call()
#9 F:\<Our Site>\lib\Middleware\Theme.php(36): Xibo\Middleware\Actions->call()
#10 F:\<Our Site>\lib\Middleware\SAMLAuthentication.php(414): Xibo\Middleware\Theme->call()
#11 F:\<Our Site>\lib\Middleware\CsrfGuard.php(63): Xibo\Middleware\SAMLAuthentication->call()
#12 F:\<Our Site>\lib\Middleware\State.php(122): Xibo\Middleware\CsrfGuard->call()
#13 F:\<Our Site>\lib\Middleware\Storage.php(47): Xibo\Middleware\State->call()
#14 F:\<Our Site>\lib\Middleware\Xmr.php(37): Xibo\Middleware\Storage->call()
#15 F:\<Our Site>\vendor\slim\slim\Slim\Slim.php(1300): Xibo\Middleware\Xmr->call()
#16 F:\<Our Site>\web\index.php(124): Slim\Slim->run()
#17 {main}'

Because this didn’t happen with PHP 5.x I suspect it’s something that’s changed in 7. Has anybody encountered this and found what to do about it? We’re running on IIS.

edit: In php_errors.log, there is a little more information: headers already sent in \web\xmds.php on line 254 I’m not clear how xmds.php is getting in the way of authentication, though.

Peter · September 18, 2018, 1:50pm

Could you please confirm for me what exactly PHP version do you have installed now?

Just to also test something, if you’d clear sessions and browser cache, access the CMS in incognito mode, do you get the same error?

Ian_M · September 18, 2018, 7:07pm

Peter,
Thanks for your response. We’re on 7.1.13, to be precise.

Unfortunately, it happens with incognito mode, different browser, different computer, etc.

Ian_M · October 31, 2018, 5:53pm

For anybody who runs into something similar:

So the issue turned out to be that the directory \temp_files\php_session.save_path was misplaced after the PHP upgrade, causing it to lose track of sessions. Putting this directory at a place in the filesystem that matched the one specified by php7.ini did the trick.