From 38f938207aebac724786613737d5fadb5af8e7af Mon Sep 17 00:00:00 2001
From: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Date: Sun, 9 Aug 2015 20:31:05 +0200
Subject: [PATCH] [!!!][TASK] Cleanup dual-use of auth_timeout_field in
AbstractUserAuthentication
So far the variable could either contain the name of a field or a
timeout-value in seconds.
Introduce a clean integer-field for the timeout and keep the current field
only for the case where a class wants to really fetch the timeout from a
field in the userdata.
Change-Id: I2751e06a315936119478d0dd81cc4c5b1e941368
Resolves: #68890
Releases: master
Reviewed-on: https://review.typo3.org/42464
Reviewed-by: Thomas Mayer <thomas.mayer@2bis10.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
---
.../backend/Classes/AjaxLoginHandler.php | 2 +-
.../AbstractUserAuthentication.php | 49 ++++++++++++-------
.../BackendUserAuthentication.php | 2 +-
typo3/sysext/core/Classes/Core/Bootstrap.php | 2 +-
...-68890-RemoveDualuseOfAuthTimeoutField.rst | 22 +++++++++
.../FrontendUserAuthentication.php | 13 +++--
6 files changed, 65 insertions(+), 25 deletions(-)
create mode 100644 typo3/sysext/core/Documentation/Changelog/master/Breaking-68890-RemoveDualuseOfAuthTimeoutField.rst
diff --git a/typo3/sysext/backend/Classes/AjaxLoginHandler.php b/typo3/sysext/backend/Classes/AjaxLoginHandler.php
index 1b4ad21daaa1..46c0aca5d22d 100644
--- a/typo3/sysext/backend/Classes/AjaxLoginHandler.php
+++ b/typo3/sysext/backend/Classes/AjaxLoginHandler.php
@@ -112,7 +112,7 @@ class AjaxLoginHandler
} else {
$backendUser->fetchUserSession(true);
$ses_tstamp = $backendUser->user['ses_tstamp'];
- $timeout = $backendUser->auth_timeout_field;
+ $timeout = $backendUser->sessionTimeout;
// If 120 seconds from now is later than the session timeout, we need to show the refresh dialog.
// 120 is somewhat arbitrary to allow for a little room during the countdown and load times, etc.
$session['will_time_out'] = $GLOBALS['EXEC_TIME'] >= $ses_tstamp + $timeout - 120;
diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
index 6087aa048629..7b53083226f6 100644
--- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -129,19 +129,29 @@ abstract class AbstractUserAuthentication
public $formfield_status = '';
/**
- * Server session lifetime.
- * If > 0: session-timeout in seconds.
- * If FALSE or < 0: no timeout.
- * If string: The value is a field name from the user table where the timeout can be found.
- * @var int|string|FALSE
+ * Session timeout (on the server)
+ *
+ * If >0: session-timeout in seconds.
+ * If 0: no timeout.
+ *
+ * @var int
+ */
+ public $sessionTimeout = 0;
+
+ /**
+ * Name for a field to fetch the server session timeout from.
+ * If not empty this is a field name from the user table where the timeout can be found.
+ * @var string
*/
- public $auth_timeout_field = 0;
+ public $auth_timeout_field = '';
/**
- * Client session lifetime.
- * 0 = Session-cookie.
- * If session-cookies, the browser will stop the session when the browser is closed.
- * Otherwise this specifies the lifetime of a cookie that keeps the session.
+ * Lifetime for the session-cookie (on the client)
+ *
+ * If >0: permanent cookie with given lifetime
+ * If 0: session-cookie
+ * Session-cookie means the browser will remove it when the browser is closed.
+ *
* @var int
*/
public $lifetime = 0;
@@ -149,7 +159,7 @@ abstract class AbstractUserAuthentication
/**
* GarbageCollection
* Purge all server session data older than $gc_time seconds.
- * 0 = default to $this->auth_timeout_field or use 86400 seconds (1 day) if $this->auth_timeout_field == 0
+ * 0 = default to $this->sessionTimeout or use 86400 seconds (1 day) if $this->sessionTimeout == 0
* @var int
*/
public $gc_time = 0;
@@ -439,11 +449,11 @@ abstract class AbstractUserAuthentication
}
}
// Set $this->gc_time if not explicitly specified
- if ($this->gc_time == 0) {
- // Default to 1 day if $this->auth_timeout_field is 0
- $this->gc_time = $this->auth_timeout_field == 0 ? 86400 : $this->auth_timeout_field;
+ if ($this->gc_time === 0) {
+ // Default to 86400 seconds (1 day) if $this->sessionTimeout is 0
+ $this->gc_time = $this->sessionTimeout === 0 ? 86400 : $this->sessionTimeout;
}
- // If we're lucky we'll get to clean up old sessions....
+ // If we're lucky we'll get to clean up old sessions
if (rand() % 100 <= $this->gc_probability) {
$this->gc();
}
@@ -911,12 +921,13 @@ abstract class AbstractUserAuthentication
}
if ($user) {
// A user was found
- if (MathUtility::canBeInterpretedAsInteger($this->auth_timeout_field)) {
- // Get timeout from object
- $timeout = (int)$this->auth_timeout_field;
- } else {
+ $user['ses_tstamp'] = (int)$user['ses_tstamp'];
+
+ if (!empty($this->auth_timeout_field)) {
// Get timeout-time from usertable
$timeout = (int)$user[$this->auth_timeout_field];
+ } else {
+ $timeout = $this->sessionTimeout;
}
// If timeout > 0 (TRUE) and current time has not exceeded the latest sessions-time plus the timeout in seconds then accept user
// Use a gracetime-value to avoid updating a session-record too often
diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
index 57db4e132754..ec0bcbb6723d 100644
--- a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -246,7 +246,7 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
* if string: The string is field name from the user table where the timeout can be found.
* @var string|int
*/
- public $auth_timeout_field = 6000;
+ public $sessionTimeout = 6000;
/**
* @var int
diff --git a/typo3/sysext/core/Classes/Core/Bootstrap.php b/typo3/sysext/core/Classes/Core/Bootstrap.php
index f95f1cbf9bee..f62e98bd6cec 100644
--- a/typo3/sysext/core/Classes/Core/Bootstrap.php
+++ b/typo3/sysext/core/Classes/Core/Bootstrap.php
@@ -1071,7 +1071,7 @@ class Bootstrap
$backendUser = GeneralUtility::makeInstance(\TYPO3\CMS\Core\Authentication\BackendUserAuthentication::class);
$backendUser->warningEmail = $GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'];
$backendUser->lockIP = $GLOBALS['TYPO3_CONF_VARS']['BE']['lockIP'];
- $backendUser->auth_timeout_field = (int)$GLOBALS['TYPO3_CONF_VARS']['BE']['sessionTimeout'];
+ $backendUser->sessionTimeout = (int)$GLOBALS['TYPO3_CONF_VARS']['BE']['sessionTimeout'];
if (TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_CLI) {
$backendUser->dontSetCookie = true;
}
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-68890-RemoveDualuseOfAuthTimeoutField.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-68890-RemoveDualuseOfAuthTimeoutField.rst
new file mode 100644
index 000000000000..3e74ff92dde1
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/master/Breaking-68890-RemoveDualuseOfAuthTimeoutField.rst
@@ -0,0 +1,22 @@
+=======================================================================================
+Breaking: #68890 - Cleanup dual-use of auth_timeout_field in AbstractUserAuthentication
+=======================================================================================
+
+Description
+===========
+
+In ``AbstractUserAuthentication`` the variable ``auth_timeout_field`` could previously either contain the
+name of a field or a timeout-value in seconds. To specify a fieldname the variable can be used as before.
+To specify a timeout-value, a new property called ``sessionTimeout`` is introduced that can be set to an integer >= 0.
+
+
+Impact
+======
+
+If some extension reads the value, the default is changed from an integer (0) to an empty string.
+
+
+Migration
+=========
+
+Extensions modifying ``auth_timeout_field`` to a numeric value should switch to using ``sessionTimeout``.
diff --git a/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php b/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
index 1757cc04f7ad..a3799d7d14d4 100644
--- a/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
+++ b/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
@@ -37,6 +37,14 @@ class FrontendUserAuthentication extends AbstractUserAuthentication
*/
protected $sessionDataLifetime = 86400;
+ /**
+ * if > 0 : session-timeout in seconds.
+ * if FALSE/<0 : no timeout.
+ * if string: The string is field name from the user table where the timeout can be found.
+ * @var string|int
+ */
+ public $sessionTimeout = 6000;
+
/**
* @var string
*/
@@ -140,7 +148,6 @@ class FrontendUserAuthentication extends AbstractUserAuthentication
$this->formfield_uname = 'user';
$this->formfield_uident = 'pass';
$this->formfield_status = 'logintype';
- $this->auth_timeout_field = 6000;
$this->sendNoCacheHeaders = false;
$this->getFallBack = true;
$this->getMethodEnabled = true;
@@ -168,9 +175,9 @@ class FrontendUserAuthentication extends AbstractUserAuthentication
*/
public function start()
{
- if ((int)$this->auth_timeout_field > 0 && (int)$this->auth_timeout_field < $this->lifetime) {
+ if ((int)$this->sessionTimeout > 0 && $this->sessionTimeout < $this->lifetime) {
// If server session timeout is non-zero but less than client session timeout: Copy this value instead.
- $this->auth_timeout_field = $this->lifetime;
+ $this->sessionTimeout = $this->lifetime;
}
$this->sessionDataLifetime = (int)$GLOBALS['TYPO3_CONF_VARS']['FE']['sessionDataLifetime'];
if ($this->sessionDataLifetime <= 0) {
--
GitLab