From c500f4f6952d35cda6bd785dafbd1669ee883eca Mon Sep 17 00:00:00 2001
From: Nicole Cordes <typo3@cordes.co>
Date: Sat, 11 Feb 2017 16:24:36 +0100
Subject: [PATCH] [BUGFIX] Only set a session anonymous if in FE context

The session id regeneration must not touch the sys_anonymous field
of the session record, since it only exists for FE session.
The FrontendUserAuthentication is responsible for this.

Resolves: #79757
Releases: master
Change-Id: Iefcc678b9171830b587432fa7fbbc9e77033931f
Reviewed-on: https://review.typo3.org/51635
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
---
 .../Classes/Authentication/AbstractUserAuthentication.php  | 4 ----
 .../Classes/Authentication/FrontendUserAuthentication.php  | 7 +++++++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
index aac1aafcbaa3..5812b3b0280d 100644
--- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -873,10 +873,6 @@ abstract class AbstractUserAuthentication
         // Update session record with new ID
         $oldSessionId = $this->id;
         $this->id = $this->createSessionId();
-        $existingSessionRecord['ses_anonymous'] = (int)$anonymous;
-        if ($anonymous) {
-            $existingSessionRecord['ses_userid'] = 0;
-        }
         $updatedSession = $this->getSessionBackend()->set($this->id, $existingSessionRecord);
         $this->sessionData = unserialize($updatedSession['ses_data']);
         // Merge new session data into user/session array
diff --git a/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php b/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
index f10d0867d0a9..11715757925b 100644
--- a/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
+++ b/typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php
@@ -484,6 +484,13 @@ class FrontendUserAuthentication extends AbstractUserAuthentication
      */
     protected function regenerateSessionId(array $existingSessionRecord = [], bool $anonymous = false)
     {
+        if (empty($existingSessionRecord)) {
+            $existingSessionRecord = $this->getSessionBackend()->get($this->id);
+        }
+        $existingSessionRecord['ses_anonymous'] = (int)$anonymous;
+        if ($anonymous) {
+            $existingSessionRecord['ses_userid'] = 0;
+        }
         parent::regenerateSessionId($existingSessionRecord, $anonymous);
         // We force the cookie to be set later in the authentication process
         $this->dontSetCookie = false;
-- 
GitLab