[TASK] Only set FE user cookie if session data or user logged in
[Packages/TYPO3.CMS.git] / typo3 / sysext / frontend / Classes / Authentication / FrontendUserAuthentication.php
index 8fa3b25..9561435 100644 (file)
@@ -113,6 +113,10 @@ class FrontendUserAuthentication extends \TYPO3\CMS\Core\Authentication\Abstract
         * Default constructor.
         */
        public function __construct() {
         * Default constructor.
         */
        public function __construct() {
+               // Disable cookie by default, will be activated if saveSessionData() is called,
+               // a user is logging-in or an existing session is found
+               $this->dontSetCookie = TRUE;
+
                $this->session_table = 'fe_sessions';
                $this->name = self::getCookieName();
                $this->get_name = 'ftu';
                $this->session_table = 'fe_sessions';
                $this->name = self::getCookieName();
                $this->get_name = 'ftu';
@@ -239,6 +243,19 @@ class FrontendUserAuthentication extends \TYPO3\CMS\Core\Authentication\Abstract
                return $loginData;
        }
 
                return $loginData;
        }
 
+       /**
+        * Creates a user session record and returns its values.
+        * However, as the FE user cookie is normally not set, this has to be done
+        * before the parent class is doing the rest.
+        *
+        * @param array $tempuser User data array
+        * @return array The session data for the newly created session.
+        */
+       public function createUserSession($tempuser) {
+               $this->setSessionCookie();
+               return parent::createUserSession($tempuser);
+       }
+
        /**
         * Will select all fe_groups records that the current fe_user is member of - and which groups are also allowed in the current domain.
         * It also accumulates the TSconfig for the fe_user/fe_groups in ->TSdataArray
        /**
         * Will select all fe_groups records that the current fe_user is member of - and which groups are also allowed in the current domain.
         * It also accumulates the TSconfig for the fe_user/fe_groups in ->TSdataArray
@@ -396,6 +413,10 @@ class FrontendUserAuthentication extends \TYPO3\CMS\Core\Authentication\Abstract
                        if (empty($this->sesData)) {
                                // Remove session-data
                                $this->removeSessionData();
                        if (empty($this->sesData)) {
                                // Remove session-data
                                $this->removeSessionData();
+                               // Remove cookie if not logged in as the session data is removed as well
+                               if (!empty($this->user['uid'])) {
+                                       $this->removeCookie($this->name);
+                               }
                        } elseif ($this->sessionDataTimestamp === NULL) {
                                // Write new session-data
                                $insertFields = array(
                        } elseif ($this->sessionDataTimestamp === NULL) {
                                // Write new session-data
                                $insertFields = array(
@@ -405,6 +426,8 @@ class FrontendUserAuthentication extends \TYPO3\CMS\Core\Authentication\Abstract
                                );
                                $this->sessionDataTimestamp = $GLOBALS['EXEC_TIME'];
                                $GLOBALS['TYPO3_DB']->exec_INSERTquery('fe_session_data', $insertFields);
                                );
                                $this->sessionDataTimestamp = $GLOBALS['EXEC_TIME'];
                                $GLOBALS['TYPO3_DB']->exec_INSERTquery('fe_session_data', $insertFields);
+                               // Now set the cookie (= fix the session)
+                               $this->setSessionCookie();
                        } else {
                                // Update session data
                                $updateFields = array(
                        } else {
                                // Update session data
                                $updateFields = array(
@@ -426,6 +449,20 @@ class FrontendUserAuthentication extends \TYPO3\CMS\Core\Authentication\Abstract
                $GLOBALS['TYPO3_DB']->exec_DELETEquery('fe_session_data', 'hash=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, 'fe_session_data'));
        }
 
                $GLOBALS['TYPO3_DB']->exec_DELETEquery('fe_session_data', 'hash=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, 'fe_session_data'));
        }
 
+       /**
+        * Log out current user!
+        * Removes the current session record, sets the internal ->user array to a blank string
+        * Thereby the current user (if any) is effectively logged out!
+        * Additionally the cookie is removed
+        *
+        * @return void
+        */
+       public function logoff() {
+               parent::logoff();
+               // Remove the cookie on log-off
+               $this->removeCookie($this->name);
+       }
+
        /**
         * Executes the garbage collection of session data and session.
         * The lifetime of session data is defined by $TYPO3_CONF_VARS['FE']['sessionDataLifetime'].
        /**
         * Executes the garbage collection of session data and session.
         * The lifetime of session data is defined by $TYPO3_CONF_VARS['FE']['sessionDataLifetime'].
@@ -532,10 +569,10 @@ class FrontendUserAuthentication extends \TYPO3\CMS\Core\Authentication\Abstract
         * @todo Define visibility
         */
        public function record_registration($recs, $maxSizeOfSessionData = 0) {
         * @todo Define visibility
         */
        public function record_registration($recs, $maxSizeOfSessionData = 0) {
-               // Storing value ONLY if there is a confirmed cookie set (->cookieID),
+               // Storing value ONLY if there is a confirmed cookie set,
                // otherwise a shellscript could easily be spamming the fe_sessions table
                // with bogus content and thus bloat the database
                // otherwise a shellscript could easily be spamming the fe_sessions table
                // with bogus content and thus bloat the database
-               if (!$maxSizeOfSessionData || $this->cookieId) {
+               if (!$maxSizeOfSessionData || $this->isCookieSet()) {
                        if ($recs['clear_all']) {
                                $this->setKey('ses', 'recs', array());
                        }
                        if ($recs['clear_all']) {
                                $this->setKey('ses', 'recs', array());
                        }