[BUGFIX] Only set a session anonymous if in FE context 35/51635/4
authorNicole Cordes <typo3@cordes.co>
Sat, 11 Feb 2017 15:24:36 +0000 (16:24 +0100)
committerMarkus Klein <markus.klein@typo3.org>
Sat, 11 Feb 2017 18:26:00 +0000 (19:26 +0100)
The session id regeneration must not touch the sys_anonymous field
of the session record, since it only exists for FE session.
The FrontendUserAuthentication is responsible for this.

Resolves: #79757
Releases: master
Change-Id: Iefcc678b9171830b587432fa7fbbc9e77033931f
Reviewed-on: https://review.typo3.org/51635
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php

index aac1aaf..5812b3b 100644 (file)
@@ -873,10 +873,6 @@ abstract class AbstractUserAuthentication
         // Update session record with new ID
         $oldSessionId = $this->id;
         $this->id = $this->createSessionId();
-        $existingSessionRecord['ses_anonymous'] = (int)$anonymous;
-        if ($anonymous) {
-            $existingSessionRecord['ses_userid'] = 0;
-        }
         $updatedSession = $this->getSessionBackend()->set($this->id, $existingSessionRecord);
         $this->sessionData = unserialize($updatedSession['ses_data']);
         // Merge new session data into user/session array
index f10d086..1171575 100644 (file)
@@ -484,6 +484,13 @@ class FrontendUserAuthentication extends AbstractUserAuthentication
      */
     protected function regenerateSessionId(array $existingSessionRecord = [], bool $anonymous = false)
     {
+        if (empty($existingSessionRecord)) {
+            $existingSessionRecord = $this->getSessionBackend()->get($this->id);
+        }
+        $existingSessionRecord['ses_anonymous'] = (int)$anonymous;
+        if ($anonymous) {
+            $existingSessionRecord['ses_userid'] = 0;
+        }
         parent::regenerateSessionId($existingSessionRecord, $anonymous);
         // We force the cookie to be set later in the authentication process
         $this->dontSetCookie = false;