From 2f129cb14432f16041fa0494576f640ff258fe6f Mon Sep 17 00:00:00 2001
From: Benni Mack <benni@typo3.org>
Date: Thu, 10 Dec 2020 17:38:26 +0100
Subject: [PATCH] [!!!][TASK] Remove forceSetCookie from
 AbstractUserAuthentication

The option "forceSetCookie", previously used
for lifetime, is only set in FrontendUserAuthentication,
and is moved to that subclass as a protected property,
making the dependencies between the parent class and the main class
cleaner.

Resolves: #93073
Releases: master
Change-Id: Ia711b2a0eb7b03ec1b352b0fd498d296a44df101
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67086
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
---
 .../AbstractUserAuthentication.php            | 10 +----
 ...erAuthentication-forceSetCookieRemoved.rst | 40 +++++++++++++++++++
 .../FrontendUserAuthentication.php            |  6 +++
 .../Php/PropertyPublicMatcher.php             |  5 +++
 4 files changed, 53 insertions(+), 8 deletions(-)
 create mode 100644 typo3/sysext/core/Documentation/Changelog/master/Breaking-93073-AbstractUserAuthentication-forceSetCookieRemoved.rst

diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
index d1c4c9379e2b..6fd922fa9b80 100644
--- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -181,13 +181,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
     public $user;
 
     /**
-     * Will force the session cookie to be set every time (lifetime must be 0)
-     * @var bool
-     */
-    public $forceSetCookie = false;
-
-    /**
-     * Will prevent the setting of the session cookie (takes precedence over forceSetCookie)
+     * Will prevent the setting of the session cookie
      * @var bool
      */
     public $dontSetCookie = false;
@@ -379,7 +373,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
      */
     public function isSetSessionCookie()
     {
-        return ($this->userSession->isNew() || $this->forceSetCookie) && $this->lifetime === 0;
+        return $this->userSession->isNew() && $this->lifetime === 0;
     }
 
     /**
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-93073-AbstractUserAuthentication-forceSetCookieRemoved.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-93073-AbstractUserAuthentication-forceSetCookieRemoved.rst
new file mode 100644
index 000000000000..a4f8e5b48b16
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/master/Breaking-93073-AbstractUserAuthentication-forceSetCookieRemoved.rst
@@ -0,0 +1,40 @@
+.. include:: ../../Includes.txt
+
+=====================================================================
+Breaking: #93073 - AbstractUserAuthentication->forceSetCookie removed
+=====================================================================
+
+See :issue:`93073`
+
+Description
+===========
+
+The public property `forceSetCookie`
+is removed from the PHP class `AbstractUserAuthentication`.
+
+This property served to ensure that a cookie should be added
+at any times, which is useful for time-based cookies, which only
+happen in Frontend user sessions. This property is now moved as a protected
+property into the FrontendUserAuthentication class and used in this class
+solely to reduce the complexity of the internal logic as well as outside API.
+
+
+Impact
+======
+
+Setting this property has no effect anymore, setting this property on a Frontend User object will trigger a PHP warning.
+
+
+Affected Installations
+======================
+
+TYPO3 installations with third-party extensions and special cookie handling, which is very unlikely.
+
+
+Migration
+=========
+
+If custom functionality for setting cookies is needed, it is highly
+recommended to send cookies manually via a PSR-15 middleware.
+
+.. index:: Backend, Frontend, PHP-API, FullyScanned, ext:core
diff --git a/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php b/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
index fdb2cddedb64..2d80b56ce15f 100644
--- a/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
+++ b/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
@@ -151,6 +151,12 @@ class FrontendUserAuthentication extends AbstractUserAuthentication
      */
     protected $loginHidden = false;
 
+    /**
+     * Will force the session cookie to be set every time (lifetime must be 0).
+     * @var bool
+     */
+    protected $forceSetCookie = false;
+
     /**
      * Will prevent the setting of the session cookie (takes precedence over forceSetCookie)
      * Disable cookie by default, will be activated if saveSessionData() is called,
diff --git a/typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php b/typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php
index a216c07337be..a10abc304f02 100644
--- a/typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php
+++ b/typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php
@@ -795,4 +795,9 @@ return [
             'Breaking-93062-VariousGroup-relatedPublicPropertiesInBE_USERRemoved.rst',
         ],
     ],
+    'TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->forceSetCookie' => [
+        'restFiles' => [
+            'Breaking-93073-AbstractUserAuthentication-forceSetCookieRemoved.rst',
+        ],
+    ],
 ];
-- 
GitLab