[!!!][FEATURE] Refactored Session Handling
The AbstractUserAuthentication class handles way too much of what it should know / do. For this reason, a new UserSession object which contains basic information needed for everything belonging to a non-fixated session, a fixated anonymous session, if a session was evelated, or if a session has expired, is kept in there. The "SessionManager" should not be used anymore publically but slowly dissolve into a SessionBackendManager. Design goals: * UserAuth object should not know about session backends * UserAuth should not store sessionData etc. directly in its own object * Decouple UserSession info from any properties of UserAuth * A UserSessionManager deals with the creation and validation of the UserSession objects. No Session Objects can be created etc outside of this class to maintain persistability * UserSessionManager also encapsulates ipLocking and the responsible SessionBackend Final goals to be tackled later: * Build a user session object from the request object, and not within the UserAuth object * Session Handling can be accessed outside of UserAuth * Cookie Handling and Session Handling are separated from UserAuth * Load Session information from PSR-7 request instead of $_COOKIE Resolves: #93023 Releases: master Change-Id: Ia2d8244e433d0f6adf220d443b2c0947f251b5e9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66935 Tested-by: TYPO3com <email@example.com> Tested-by: Oliver Bartsch <firstname.lastname@example.org> Tested-by: Christian Kuhn <email@example.com> Tested-by: Benni Mack <firstname.lastname@example.org> Reviewed-by: Oliver Bartsch <email@example.com> Reviewed-by: Christian Kuhn <firstname.lastname@example.org> Reviewed-by: Benni Mack <email@example.com>
This diff is collapsed.