From ac49cd3f2707b7ebac3c0db8f0db99f68ff03768 Mon Sep 17 00:00:00 2001
From: Benni Mack <benni@typo3.org>
Date: Sat, 12 Dec 2020 11:15:57 +0100
Subject: [PATCH] [BUGFIX] Ensure new session handling works in SQLite
 environments

Due to some missing casting and usage of wrong properties,
a wrong comparison happened.

In addition, the change now checks for "user" instead of "userSession",
as the "userSession" property is obsolete.

Resolves: #93066
Releases: master
Change-Id: I4a0ff4797265c15e5cf9a822e4f7e1ea31fb31c1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67103
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
---
 .../AbstractUserAuthentication.php            | 24 +++++++++----------
 .../core/Classes/Session/UserSession.php      |  3 ++-
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
index a9fc62114cfa..fc8419fd8406 100644
--- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -446,7 +446,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
         $anonymousSession = false;
         if (!$this->userSession->isNew()) {
             // Read user data if this is bound to a user
-            // However, if the user data is not valid, or the session has timeed out we'll recreate a new anonymous session
+            // However, if the user data is not valid, or the session has timed out we'll recreate a new anonymous session
             if ($this->userSession->getUserId() > 0) {
                 $authInfo['user'] = $this->fetchValidUserFromSessionOrDestroySession($skipSessionUpdate);
                 if (is_array($authInfo['user'])) {
@@ -482,9 +482,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
         }
 
         if ($haveSession) {
-            $this->logger->debug('User session found', [
-                $this->userid_column => $authInfo['userSession'][$this->userid_column] ?? null,
-                $this->username_column => $authInfo['userSession'][$this->username_column] ?? null,
+            $this->logger->debug('User found in session', [
+                $this->userid_column => $authInfo['user'][$this->userid_column] ?? null,
+                $this->username_column => $authInfo['user'][$this->username_column] ?? null,
             ]);
         } else {
             $this->logger->debug('No user session found');
@@ -525,13 +525,13 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
 
         // If no new user was set we use the already found user session
         if (empty($tempuserArr) && $haveSession && !$anonymousSession) {
-            $tempuserArr[] = $authInfo['userSession'];
-            $tempuser = $authInfo['userSession'];
+            $tempuserArr[] = $authInfo['user'];
+            $tempuser = $authInfo['user'];
             // User is authenticated because we found a user session
             $authenticated = true;
             $this->logger->debug('User session used', [
-                $this->userid_column => $authInfo['userSession'][$this->userid_column],
-                $this->username_column => $authInfo['userSession'][$this->username_column],
+                $this->userid_column => $authInfo['user'][$this->userid_column],
+                $this->username_column => $authInfo['user'][$this->username_column],
             ]);
         }
         // Re-auth user when 'auth'-service option is set
@@ -578,7 +578,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
             // Insert session record if needed:
             if (!$haveSession
                 || $anonymousSession
-                || $tempuser['uid'] !== $this->userSession->getUserId()
+                || (int)$tempuser['uid'] !== $this->userSession->getUserId()
             ) {
                 $sessionData = $this->userSession->getData();
                 // Create a new session with a fixated user
@@ -589,7 +589,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
                     $this->userSession->overrideData($sessionData);
                 }
 
-                $this->user = array_merge($this->user ?? [], $tempuser);
+                $this->user = array_merge($tempuser, $this->user ?? []);
 
                 // The login session is started.
                 $this->loginSessionStarted = true;
@@ -599,9 +599,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
                         $this->username_column => $this->user[$this->username_column],
                     ]);
                 }
-            } elseif ($haveSession) {
+            } else {
                 // if we come here the current session is for sure not anonymous as this is a pre-condition for $authenticated = true
-                $this->user = $authInfo['userSession'];
+                $this->user = $authInfo['user'];
             }
 
             if ($activeLogin && !$this->userSession->isNew()) {
diff --git a/typo3/sysext/core/Classes/Session/UserSession.php b/typo3/sysext/core/Classes/Session/UserSession.php
index 7892a7dabdf5..623aedf21544 100644
--- a/typo3/sysext/core/Classes/Session/UserSession.php
+++ b/typo3/sysext/core/Classes/Session/UserSession.php
@@ -32,7 +32,8 @@ namespace TYPO3\CMS\Core\Session;
  *
  * The $data argument is to store any arbitrary data valid for the users' session.
  *
- * A permanent session means: XYZ?
+ * A permanent session means that the client is not issued a session-based cookie but a time-based cookie.
+ * So the server-session survives the session of the browser.
  */
 class UserSession
 {
-- 
GitLab