From 4017128a966a0da50973aecce9c756b37d737c7d Mon Sep 17 00:00:00 2001
From: Markus Klein <markus.klein@typo3.org>
Date: Mon, 9 Oct 2017 13:45:41 +0200
Subject: [PATCH] [BUGFIX] Avoid corrupted session when IP changes

If the IP of the client changes and is not within the
lockIP range anymore a new session is now created.

Resolves: #82490
Releases: master, 8.7
Change-Id: I7dc5033318fa9eb1efc929af126b38cc9840e964
Reviewed-on: https://review.typo3.org/54347
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Franz Holzinger <franz@ttproducts.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
---
 .../AbstractUserAuthentication.php               | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
index c845c71b9232..37ce4898fc46 100644
--- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -950,11 +950,6 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
             return false;
         }
 
-        // Fail if user session is not in current IPLock Range
-        if ($sessionRecord['ses_iplock'] !== $this->ipLockClause_remoteIPNumber($this->lockIP) && $sessionRecord['ses_iplock'] !== '[DISABLED]') {
-            return false;
-        }
-
         $this->sessionData = unserialize($sessionRecord['ses_data']);
         // Session is anonymous so no need to fetch user
         if ($sessionRecord['ses_anonymous']) {
@@ -1058,7 +1053,16 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
     public function isExistingSessionRecord($id)
     {
         try {
-            return !empty($this->getSessionBackend()->get($id));
+            $sessionRecord = $this->getSessionBackend()->get($id);
+            if (empty($sessionRecord)) {
+                return false;
+            }
+            // If the session does not match the current IP lock, it should be treated as invalid
+            // and a new session should be created.
+            if ($sessionRecord['ses_iplock'] !== $this->ipLockClause_remoteIPNumber($this->lockIP) && $sessionRecord['ses_iplock'] !== '[DISABLED]') {
+                return false;
+            }
+            return true;
         } catch (SessionNotFoundException $e) {
             return false;
         }
-- 
GitLab