Fixed bug #10205: DB session record is only created when user is authenticated
authorIngmar Schlecht <ingmar.schlecht@typo3.org>
Sat, 24 Jan 2009 14:47:29 +0000 (14:47 +0000)
committerIngmar Schlecht <ingmar.schlecht@typo3.org>
Sat, 24 Jan 2009 14:47:29 +0000 (14:47 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@4846 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/cms/tslib/class.tslib_feuserauth.php

index 4165d5e..831cfbb 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2009-01-24  Ingmar Schlecht  <ingmar@typo3.org>
+
+       * Fixed bug #10205: DB session record is only created when user is authenticated (thanks also to Michael Stucki)
+
 2009-01-20  Steffen Kamper  <info@sk-typo3.de>
 
        * Fixed bug #9345: Bug: CSV export includes _CLIPBOARD_ in header row (thanks to Christian Kuhn)
index a996046..0a6ae98 100644 (file)
@@ -361,8 +361,8 @@ class tslib_feUserAuth extends t3lib_userAuth {
         * @see storeSessionData()
         */
        function fetchSessionData()     {
-               // Gets SesData if any
-               if ($this->id {
+                       // Gets SesData if any AND if not already selected by session fixation check in ->isExistingSessionRecord()
+               if ($this->id && !count($this->sesData)) {
                        $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', 'fe_session_data', 'hash='.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, 'fe_session_data'));
                        if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres))        {
                                $this->sesData = unserialize($sesDataRow['content']);
@@ -485,6 +485,52 @@ class tslib_feUserAuth extends t3lib_userAuth {
                        }
                }
        }
+
+       /**
+        * Determine whether there's an according session record to a given session_id
+        * in the database. Don't care if session record is still valid or not.
+        *
+        * This calls the parent function but additionally tries to look up the session ID in the "fe_session_data" table.
+        *
+        * @param       integer         Claimed Session ID
+        * @return      boolean         Returns true if a corresponding session was found in the database
+        */
+       function isExistingSessionRecord($id) {
+                       // Perform check in parent function
+               $count = parent::isExistingSessionRecord($id);
+
+                       // Check if there are any fe_session_data records for the session ID the client claims to have
+               if ($count == false) {
+                       $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                                                       'content',
+                                                       'fe_session_data',
+                                                       'hash=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, 'fe_session_data')
+                                               );
+                       if ($dbres !== false) {
+                               if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
+                                       $count = true;
+                                       $this->sesData = unserialize($sesDataRow['content']);
+                               }
+                       }
+               }
+
+                       // @deprecated: Check for commerce basket records. The following lines should be removed once a fixed commerce version is released.
+                       // Extensions like commerce which have their own session table should just put some small bit of data into fe_session_data using $GLOBALS['TSFE']->fe_user->setKey('ses', ...) to make the session stable.
+               if ($count == false && t3lib_extMgm::isLoaded('commerce')) {
+                       $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                                                       '*',
+                                                       'tx_commerce_baskets',
+                                                       'sid=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, 'tx_commerce_baskets')
+                                               );
+                       if ($dbres !== false) {
+                               if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
+                                       $count = true;
+                               }
+                       }
+               }
+
+               return $count;
+       }
 }