[BUGFIX] Do not throw away active session 79/48379/6
authorHelmut Hummel <info@helhum.io>
Sat, 28 May 2016 21:02:09 +0000 (23:02 +0200)
committerHelmut Hummel <typo3@helhum.io>
Sat, 9 Jul 2016 20:38:27 +0000 (22:38 +0200)
Previously an active and valid session was dismissed, if login
credentials are sent again.

Now we do not start the user authentication if we have a valid session.

This also fixes weird side effects during backend login, when
it says that token is not valid.

Resolves: #76995
Releases: master, 7.6
Change-Id: Ia070493eb99ff395c67e0ac40e85b5e8fe7debd3
Reviewed-on: https://review.typo3.org/48379
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Bamboo TYPO3com <info@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Helmut Hummel <typo3@helhum.io>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/rsaauth/Configuration/Backend/AjaxRoutes.php

index a2fe2b1..20189c0 100644 (file)
@@ -605,8 +605,17 @@ abstract class AbstractUserAuthentication
             }
             $this->logoff();
         }
+        // Determine whether we need to skip session update.
+        // This is used mainly for checking session timeout in advance without refreshing the current session's timeout.
+        $skipSessionUpdate = (bool)GeneralUtility::_GP('skipSessionUpdate');
+        $haveSession = false;
+        if (!$this->newSessionID) {
+            // Read user session
+            $authInfo['userSession'] = $this->fetchUserSession($skipSessionUpdate);
+            $haveSession = is_array($authInfo['userSession']);
+        }
         // Active login (eg. with login form)
-        if ($loginData['status'] === 'login') {
+        if (!$haveSession && $loginData['status'] === 'login') {
             $activeLogin = true;
             if ($this->writeDevLog) {
                 GeneralUtility::devLog('Active login (eg. with login form)', AbstractUserAuthentication::class);
@@ -628,17 +637,6 @@ abstract class AbstractUserAuthentication
                 throw new \RuntimeException('TYPO3 Fatal Error: You have tried to login using a CLI user. Access prohibited!', 1270853931);
             }
         }
-        // The following code makes auto-login possible (if configured). No submitted data needed
-        // Determine whether we need to skip session update.
-        // This is used mainly for checking session timeout without
-        // refreshing the session itself while checking.
-        $skipSessionUpdate = (bool)GeneralUtility::_GP('skipSessionUpdate');
-        $haveSession = false;
-        if (!$this->newSessionID) {
-            // Read user session
-            $authInfo['userSession'] = $this->fetchUserSession($skipSessionUpdate);
-            $haveSession = is_array($authInfo['userSession']);
-        }
         if ($this->writeDevLog) {
             if ($haveSession) {
                 GeneralUtility::devLog('User session found: ' . GeneralUtility::arrayToLogString($authInfo['userSession'], array($this->userid_column, $this->username_column)), AbstractUserAuthentication::class, 0);
index e10644f..9ceae86 100644 (file)
@@ -7,6 +7,7 @@ return [
     // Get RSA public key
     'rsa_publickey' => [
         'path' => '/rsa/publickey',
-        'target' => \TYPO3\CMS\Rsaauth\RsaEncryptionEncoder::class . '::getRsaPublicKeyAjaxHandler'
+        'target' => \TYPO3\CMS\Rsaauth\RsaEncryptionEncoder::class . '::getRsaPublicKeyAjaxHandler',
+        'access' => 'public'
     ],
 ];