[BUGFIX] rsaauth: remove session-cookie when no longer used 01/47901/2
authorStefan Neufeind <typo3.neufeind@speedpartner.de>
Sun, 17 Aug 2014 23:07:47 +0000 (01:07 +0200)
committerFrank Naegler <frank.naegler@typo3.org>
Mon, 25 Apr 2016 13:40:35 +0000 (15:40 +0200)
When deleting the rsa key from the database we now remove the PHP cookie
as well in order to keep the system cleaned up.

Change-Id: I037deabf0a60e6ad785678b60424b3cc49af77b0
Resolves: #61016
Releases: master, 7.6
Reviewed-on: https://review.typo3.org/47901
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
typo3/sysext/rsaauth/Classes/Storage/SplitStorage.php

index 1929add..8839ba8 100644 (file)
@@ -79,6 +79,13 @@ class SplitStorage extends AbstractStorage
             if (MathUtility::canBeInterpretedAsInteger($keyId)) {
                 $this->databaseConnection->exec_DELETEquery('tx_rsaauth_keys', 'uid=' . $keyId);
                 unset($_SESSION['tx_rsaauth_key']);
+                if (empty($_SESSION)) {
+                    $sessionName = session_name();
+                    $sessionCookie = session_get_cookie_params();
+                    session_destroy();
+                    // By using setcookie with the second parameter set to false we actually delete the cookie
+                    setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);
+                }
             }
         } else {
             // Add key