Commit ac49cd3f authored by Benni Mack's avatar Benni Mack Committed by Georg Ringer
Browse files

[BUGFIX] Ensure new session handling works in SQLite environments

Due to some missing casting and usage of wrong properties,
a wrong comparison happened.

In addition, the change now checks for "user" instead of "userSession",
as the "userSession" property is obsolete.

Resolves: #93066
Releases: master
Change-Id: I4a0ff4797265c15e5cf9a822e4f7e1ea31fb31c1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67103


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
parent 69af3c4e
...@@ -446,7 +446,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface ...@@ -446,7 +446,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
$anonymousSession = false; $anonymousSession = false;
if (!$this->userSession->isNew()) { if (!$this->userSession->isNew()) {
// Read user data if this is bound to a user // Read user data if this is bound to a user
// However, if the user data is not valid, or the session has timeed out we'll recreate a new anonymous session // However, if the user data is not valid, or the session has timed out we'll recreate a new anonymous session
if ($this->userSession->getUserId() > 0) { if ($this->userSession->getUserId() > 0) {
$authInfo['user'] = $this->fetchValidUserFromSessionOrDestroySession($skipSessionUpdate); $authInfo['user'] = $this->fetchValidUserFromSessionOrDestroySession($skipSessionUpdate);
if (is_array($authInfo['user'])) { if (is_array($authInfo['user'])) {
...@@ -482,9 +482,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface ...@@ -482,9 +482,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
} }
if ($haveSession) { if ($haveSession) {
$this->logger->debug('User session found', [ $this->logger->debug('User found in session', [
$this->userid_column => $authInfo['userSession'][$this->userid_column] ?? null, $this->userid_column => $authInfo['user'][$this->userid_column] ?? null,
$this->username_column => $authInfo['userSession'][$this->username_column] ?? null, $this->username_column => $authInfo['user'][$this->username_column] ?? null,
]); ]);
} else { } else {
$this->logger->debug('No user session found'); $this->logger->debug('No user session found');
...@@ -525,13 +525,13 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface ...@@ -525,13 +525,13 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
// If no new user was set we use the already found user session // If no new user was set we use the already found user session
if (empty($tempuserArr) && $haveSession && !$anonymousSession) { if (empty($tempuserArr) && $haveSession && !$anonymousSession) {
$tempuserArr[] = $authInfo['userSession']; $tempuserArr[] = $authInfo['user'];
$tempuser = $authInfo['userSession']; $tempuser = $authInfo['user'];
// User is authenticated because we found a user session // User is authenticated because we found a user session
$authenticated = true; $authenticated = true;
$this->logger->debug('User session used', [ $this->logger->debug('User session used', [
$this->userid_column => $authInfo['userSession'][$this->userid_column], $this->userid_column => $authInfo['user'][$this->userid_column],
$this->username_column => $authInfo['userSession'][$this->username_column], $this->username_column => $authInfo['user'][$this->username_column],
]); ]);
} }
// Re-auth user when 'auth'-service option is set // Re-auth user when 'auth'-service option is set
...@@ -578,7 +578,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface ...@@ -578,7 +578,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
// Insert session record if needed: // Insert session record if needed:
if (!$haveSession if (!$haveSession
|| $anonymousSession || $anonymousSession
|| $tempuser['uid'] !== $this->userSession->getUserId() || (int)$tempuser['uid'] !== $this->userSession->getUserId()
) { ) {
$sessionData = $this->userSession->getData(); $sessionData = $this->userSession->getData();
// Create a new session with a fixated user // Create a new session with a fixated user
...@@ -589,7 +589,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface ...@@ -589,7 +589,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
$this->userSession->overrideData($sessionData); $this->userSession->overrideData($sessionData);
} }
$this->user = array_merge($this->user ?? [], $tempuser); $this->user = array_merge($tempuser, $this->user ?? []);
// The login session is started. // The login session is started.
$this->loginSessionStarted = true; $this->loginSessionStarted = true;
...@@ -599,9 +599,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface ...@@ -599,9 +599,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
$this->username_column => $this->user[$this->username_column], $this->username_column => $this->user[$this->username_column],
]); ]);
} }
} elseif ($haveSession) { } else {
// if we come here the current session is for sure not anonymous as this is a pre-condition for $authenticated = true // if we come here the current session is for sure not anonymous as this is a pre-condition for $authenticated = true
$this->user = $authInfo['userSession']; $this->user = $authInfo['user'];
} }
if ($activeLogin && !$this->userSession->isNew()) { if ($activeLogin && !$this->userSession->isNew()) {
......
...@@ -32,7 +32,8 @@ namespace TYPO3\CMS\Core\Session; ...@@ -32,7 +32,8 @@ namespace TYPO3\CMS\Core\Session;
* *
* The $data argument is to store any arbitrary data valid for the users' session. * The $data argument is to store any arbitrary data valid for the users' session.
* *
* A permanent session means: XYZ? * A permanent session means that the client is not issued a session-based cookie but a time-based cookie.
* So the server-session survives the session of the browser.
*/ */
class UserSession class UserSession
{ {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment