From 20a82fc0d633e92c620bebefa91aa44777ab0009 Mon Sep 17 00:00:00 2001
From: Helmut Hummel <info@helhum.io>
Date: Thu, 17 Nov 2016 23:56:47 +0000
Subject: [PATCH] [BUGFIX] Update session id in user property
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The session id is also additionally stored in the
user property array in AbstractUserAuthentication.
When regenerating the session id, we must update the
session id in this user property as well, otherwise
it leads to failures in session handling (like #69763).
The workaround introduce for #69763 can stay, because
it mitigates other reasons for invalid tokens in the URL
by redirecting to the login page.
Resolves: #78739
Related: #69763
Releases: master, 7.6, 6.2
Change-Id: Ib58e6b5dacae3b9e431e662e214557411fd668f3
Reviewed-on: https://review.typo3.org/50701
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Helmut Hummel <typo3@helhum.io>
---
.../core/Classes/Authentication/AbstractUserAuthentication.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
index 5abb83be02a4..fccb3b6a3b52 100644
--- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -832,6 +832,7 @@ abstract class AbstractUserAuthentication
['ses_id' => $this->id],
['ses_id' => $oldSessionId, 'ses_name' => $this->name]
);
+ $this->user['ses_id'] = $this->id;
$this->newSessionID = true;
}
--
GitLab