Posted on
by

PHP 7 is now out, and Travis-CI supports it as part of their standard configuration (rather than forcing you to use the PHP nightly build). Last night I submitted a pull request to add PHP 7 support to the Known Travis build, which was a little bit problematic.

Known uses Apache + PHP-FPM, rather than the Travis default nginx setup, and while there are guides for getting this working on the Travis site, it seems that they’re not quite there for the PHP 7 build.

The PHP 7 build was running into this error:

[15-Feb-2016 23:14:58] WARNING: Nothing matches the include pattern '/home/travis/.phpenv/versions/7.0.3/etc/php-fpm.d/*.conf' from /home/travis/.phpenv/versions/7.0.3/etc/php-fpm.conf at line 125.
[15-Feb-2016 23:14:58] ERROR: No pool defined. at least one pool section must be specified in config file
[15-Feb-2016 23:14:58] ERROR: failed to post process the configuration
[15-Feb-2016 23:14:58] ERROR: FPM initialization failed
/home/travis/build.sh: line 45: 25862 Segmentation fault      (core dumped) ~/.phpenv/versions/$(phpenv version-name)/sbin/php-fpm

This took a little while to diagnose, but in the end the fix was pretty simple. Basically it looks like the Travis PHP7 build of PHP-FPM expects, but can not find, a pool definition. You don’t need to customise it, just put a default one into PHP-FPM’s config directory.

So, I packaged a default template with the Known patch, and in my .travis.yml added the following to before_script:

- if [[ ${TRAVIS_PHP_VERSION:0:3} == "7.0" ]]; then sudo cp Tests/build/www.conf ~/.phpenv/versions/$(phpenv version-name)/etc/php-fpm.d/; fi

I also modified the Apache vhost example and added ServerName localhost to the definition (although this might not be needed).

After this, the build completes successfully.

PHP7 is new, so I suspect Travis will fix this shortly. However, hopefully this will prevent some hair-pulling in the mean time!

Posted on
by

So, it’s been a frustrating few days debugging a supposedly simple single sign-on handshake conducted over SAML.

Further to my last post, here are a couple of gotchas that tripped me up.

Watch your session settings

If you’re using sessions, you need to make damn sure your cookie settings are the same in both your app and SimpleSAML’s config.php.

Sadly, this isn’t always possible, at least not without making an offering to the Elder Gods. SimpleSAMLPHP’s settings are fiddly, and in the time I was poking at it, I couldn’t find a way of getting it to entirely match the application’s more enhanced security settings (we, for example, stipulate various ini flags and up the session’s hash algorithm).

SimpleSAMLPHP also seems to have a habit of generating its own session ids, although I might have been blinking at the source too long.

Either way, I ended up commenting out the session initialisation code in SessionHandlerPHP::__construct() and replacing every instance of the session starting code with a call to the app’s session initialisation code.

This adds some maintenance debt, but life is too short.

Debug in incognito mode

If you’ve been banging your head against session problems for long, you’ll have a lot of cruft in your cookie jar.

A hard learnt lesson (obvious in hindsight) was that even if the code works, it’ll likely fail with our old friend Exception: The POST data we should restore was lost.

The simplest way of ensuring you’re going to be clicking through with a fresh session is to use your browser’s incognito mode to test, and after each test shut down all of these windows (they share a context, so you’ve got to close all tabs and windows to fully clear the context) and open a new one.

Hopefully this might save you some time and frustration.

Posted on
by

Just a quicky for those who are trying to integrate SAML authentication into their app using SimpleSAMLPhp.

Here’s the problem: You’ve set up your client SP, and you’re talking to a remote IdP. You’ve tested your authentication using the SimpleSAML web interface on your SP, but whenever you try it from your app, you hit an exception.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /path/to/simplesamlphp-1.13.2/www/module.php:179 (N/A)
Caused by: Exception: The POST data we should restore was lost.
Backtrace:
1 /path/to/simplesamlphp-1.13.2/modules/core/www/postredirect.php:38 (require)
0 /path/to/simplesamlphp-1.13.2/www/module.php:134 (N/A)

Assuming no esoteric input filtering, the problem is likely to be in your cookie settings.

If your app creates its own session, it is likely to be creating its own cookie with its own name. E.g.

session_name('FooApp');

You must modify your SimpleSAMLPHP config to use the same session name by modifying config.php and setting 'session.phpsession.cookiename' => 'FooApp' to match.

Simple… but it took me quite a while of being convinced I’d screwed up the server config to track down!

Hope this saves someone some time.