Commit ac49cd3f authored by Benni Mack's avatar Benni Mack Committed by Georg Ringer
Browse files

[BUGFIX] Ensure new session handling works in SQLite environments

Due to some missing casting and usage of wrong properties,
a wrong comparison happened.

In addition, the change now checks for "user" instead of "userSession",
as the "userSession" property is obsolete.

Resolves: #93066
Releases: master
Change-Id: I4a0ff4797265c15e5cf9a822e4f7e1ea31fb31c1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67103

Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
parent 69af3c4e
......@@ -446,7 +446,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
$anonymousSession = false;
if (!$this->userSession->isNew()) {
// Read user data if this is bound to a user
// However, if the user data is not valid, or the session has timeed out we'll recreate a new anonymous session
// However, if the user data is not valid, or the session has timed out we'll recreate a new anonymous session
if ($this->userSession->getUserId() > 0) {
$authInfo['user'] = $this->fetchValidUserFromSessionOrDestroySession($skipSessionUpdate);
if (is_array($authInfo['user'])) {
......@@ -482,9 +482,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
}
if ($haveSession) {
$this->logger->debug('User session found', [
$this->userid_column => $authInfo['userSession'][$this->userid_column] ?? null,
$this->username_column => $authInfo['userSession'][$this->username_column] ?? null,
$this->logger->debug('User found in session', [
$this->userid_column => $authInfo['user'][$this->userid_column] ?? null,
$this->username_column => $authInfo['user'][$this->username_column] ?? null,
]);
} else {
$this->logger->debug('No user session found');
......@@ -525,13 +525,13 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
// If no new user was set we use the already found user session
if (empty($tempuserArr) && $haveSession && !$anonymousSession) {
$tempuserArr[] = $authInfo['userSession'];
$tempuser = $authInfo['userSession'];
$tempuserArr[] = $authInfo['user'];
$tempuser = $authInfo['user'];
// User is authenticated because we found a user session
$authenticated = true;
$this->logger->debug('User session used', [
$this->userid_column => $authInfo['userSession'][$this->userid_column],
$this->username_column => $authInfo['userSession'][$this->username_column],
$this->userid_column => $authInfo['user'][$this->userid_column],
$this->username_column => $authInfo['user'][$this->username_column],
]);
}
// Re-auth user when 'auth'-service option is set
......@@ -578,7 +578,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
// Insert session record if needed:
if (!$haveSession
|| $anonymousSession
|| $tempuser['uid'] !== $this->userSession->getUserId()
|| (int)$tempuser['uid'] !== $this->userSession->getUserId()
) {
$sessionData = $this->userSession->getData();
// Create a new session with a fixated user
......@@ -589,7 +589,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
$this->userSession->overrideData($sessionData);
}
$this->user = array_merge($this->user ?? [], $tempuser);
$this->user = array_merge($tempuser, $this->user ?? []);
// The login session is started.
$this->loginSessionStarted = true;
......@@ -599,9 +599,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
$this->username_column => $this->user[$this->username_column],
]);
}
} elseif ($haveSession) {
} else {
// if we come here the current session is for sure not anonymous as this is a pre-condition for $authenticated = true
$this->user = $authInfo['userSession'];
$this->user = $authInfo['user'];
}
if ($activeLogin && !$this->userSession->isNew()) {
......
......@@ -32,7 +32,8 @@ namespace TYPO3\CMS\Core\Session;
*
* The $data argument is to store any arbitrary data valid for the users' session.
*
* A permanent session means: XYZ?
* A permanent session means that the client is not issued a session-based cookie but a time-based cookie.
* So the server-session survives the session of the browser.
*/
class UserSession
{
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment