-
Benni Mack authored
The AbstractUserAuthentication class handles way too much of what it should know / do. For this reason, a new UserSession object which contains basic information needed for everything belonging to a non-fixated session, a fixated anonymous session, if a session was evelated, or if a session has expired, is kept in there. The "SessionManager" should not be used anymore publically but slowly dissolve into a SessionBackendManager. Design goals: * UserAuth object should not know about session backends * UserAuth should not store sessionData etc. directly in its own object * Decouple UserSession info from any properties of UserAuth * A UserSessionManager deals with the creation and validation of the UserSession objects. No Session Objects can be created etc outside of this class to maintain persistability * UserSessionManager also encapsulates ipLocking and the responsible SessionBackend Final goals to be tackled later: * Build a user session object from the request object, and not within the UserAuth object * Session Handling can be accessed outside of UserAuth * Cookie Handling and Session Handling are separated from UserAuth * Load Session information from PSR-7 request instead of $_COOKIE Resolves: #93023 Releases: master Change-Id: Ia2d8244e433d0f6adf220d443b2c0947f251b5e9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66935 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Oliver Bartsch <bo@cedev.de> Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by: Benni Mack <benni@typo3.org>
733353c1