[BUGFIX] Avoid corrupted session when IP changes 53/54353/2
authorMarkus Klein <markus.klein@typo3.org>
Mon, 9 Oct 2017 11:45:41 +0000 (13:45 +0200)
committerMarkus Klein <markus.klein@typo3.org>
Tue, 10 Oct 2017 15:23:04 +0000 (17:23 +0200)
If the IP of the client changes and is not within the
lockIP range anymore a new session is now created.

Resolves: #82490
Releases: master, 8.7
Change-Id: I7dc5033318fa9eb1efc929af126b38cc9840e964
Reviewed-on: https://review.typo3.org/54353
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php

index 6233bb9..e20219e 100644 (file)
@@ -967,11 +967,6 @@ abstract class AbstractUserAuthentication
             return false;
         }
 
-        // Fail if user session is not in current IPLock Range
-        if ($sessionRecord['ses_iplock'] !== $this->ipLockClause_remoteIPNumber($this->lockIP) && $sessionRecord['ses_iplock'] !== '[DISABLED]') {
-            return false;
-        }
-
         $this->sessionData = unserialize($sessionRecord['ses_data']);
         // Session is anonymous so no need to fetch user
         if ($sessionRecord['ses_anonymous']) {
@@ -1077,7 +1072,16 @@ abstract class AbstractUserAuthentication
     public function isExistingSessionRecord($id)
     {
         try {
-            return !empty($this->getSessionBackend()->get($id));
+            $sessionRecord = $this->getSessionBackend()->get($id);
+            if (empty($sessionRecord)) {
+                return false;
+            }
+            // If the session does not match the current IP lock, it should be treated as invalid
+            // and a new session should be created.
+            if ($sessionRecord['ses_iplock'] !== $this->ipLockClause_remoteIPNumber($this->lockIP) && $sessionRecord['ses_iplock'] !== '[DISABLED]') {
+                return false;
+            }
+            return true;
         } catch (SessionNotFoundException $e) {
             return false;
         }