[BUGFIX] Avoid corrupted session when IP changes 47/54347/3
authorMarkus Klein <markus.klein@typo3.org>
Mon, 9 Oct 2017 11:45:41 +0000 (13:45 +0200)
committerBenni Mack <benni@typo3.org>
Tue, 10 Oct 2017 15:06:40 +0000 (17:06 +0200)
If the IP of the client changes and is not within the
lockIP range anymore a new session is now created.

Resolves: #82490
Releases: master, 8.7
Change-Id: I7dc5033318fa9eb1efc929af126b38cc9840e964
Reviewed-on: https://review.typo3.org/54347
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Franz Holzinger <franz@ttproducts.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php

index c845c71..37ce489 100644 (file)
@@ -950,11 +950,6 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
             return false;
         }
 
-        // Fail if user session is not in current IPLock Range
-        if ($sessionRecord['ses_iplock'] !== $this->ipLockClause_remoteIPNumber($this->lockIP) && $sessionRecord['ses_iplock'] !== '[DISABLED]') {
-            return false;
-        }
-
         $this->sessionData = unserialize($sessionRecord['ses_data']);
         // Session is anonymous so no need to fetch user
         if ($sessionRecord['ses_anonymous']) {
@@ -1058,7 +1053,16 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
     public function isExistingSessionRecord($id)
     {
         try {
-            return !empty($this->getSessionBackend()->get($id));
+            $sessionRecord = $this->getSessionBackend()->get($id);
+            if (empty($sessionRecord)) {
+                return false;
+            }
+            // If the session does not match the current IP lock, it should be treated as invalid
+            // and a new session should be created.
+            if ($sessionRecord['ses_iplock'] !== $this->ipLockClause_remoteIPNumber($this->lockIP) && $sessionRecord['ses_iplock'] !== '[DISABLED]') {
+                return false;
+            }
+            return true;
         } catch (SessionNotFoundException $e) {
             return false;
         }