From 2d2b0b82f0d10e35d619cfdd990729e6a1cbb5db Mon Sep 17 00:00:00 2001
From: Robbie Averill <robbie@silverstripe.com>
Date: Thu, 25 Jul 2019 12:03:12 +0200
Subject: [PATCH 1/2] DOCS Fix incorrect rendering of note on list item

[ci skip]
---
 docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
index 791318d8a..a3393a72a 100644
--- a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
+++ b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
@@ -598,8 +598,7 @@ In addition, you can tighten password security with the following configuration
  * `Member.password_expiry_days`: Set the number of days that a password should be valid for.
  * `Member.lock_out_after_incorrect_logins`: Number of incorrect logins after which
     the user is blocked from further attempts for the timespan defined in `$lock_out_delay_mins`
- * `Member.lock_out_delay_mins`: Minutes of enforced lockout after incorrect password attempts.
- 		Only applies if `lock_out_after_incorrect_logins` is greater than 0.
+ * `Member.lock_out_delay_mins`: Minutes of enforced lockout after incorrect password attempts. Only applies if `lock_out_after_incorrect_logins` is greater than 0.
  * `Security.remember_username`: Set to false to disable autocomplete on login form
 
 ## Clickjacking: Prevent iframe Inclusion

From 5c794dfcdd42b319325c867f4a807429ad93a553 Mon Sep 17 00:00:00 2001
From: Robbie Averill <robbie@silverstripe.com>
Date: Mon, 29 Jul 2019 16:07:04 +0200
Subject: [PATCH 2/2] FIX Prevent setting session value when no session exists
 yet

---
 src/Security/Security.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/Security/Security.php b/src/Security/Security.php
index e066988ac..ad221afc8 100644
--- a/src/Security/Security.php
+++ b/src/Security/Security.php
@@ -2,6 +2,7 @@
 
 namespace SilverStripe\Security;
 
+use BadMethodCallException;
 use LogicException;
 use Page;
 use ReflectionClass;
@@ -420,10 +421,14 @@ class Security extends Controller implements TemplateGlobalProvider
             $message = $messageSet['default'];
         }
 
-        list($messageText, $messageCast) = $parseMessage($message);
-        static::singleton()->setSessionMessage($messageText, ValidationResult::TYPE_WARNING, $messageCast);
+        try {
+            list($messageText, $messageCast) = $parseMessage($message);
+            static::singleton()->setSessionMessage($messageText, ValidationResult::TYPE_WARNING, $messageCast);
 
-        $controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);
+            $controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);
+        } catch (BadMethodCallException $ex) {
+            // noop, if session was not set yet
+        }
 
         // TODO AccessLogEntry needs an extension to handle permission denied errors
         // Audit logging hook