Starting on a fix for #6623

concrete/authentication/concrete/controller.php

@@ -131,7 +131,7 @@ private function genString($a = 16)
 
     public function isAuthenticated(User $u)
     {
-        return $u->isLoggedIn();
+        return $u->isRegistered();
     }
 
     public function saveAuthenticationType($values)

concrete/src/Http/DefaultDispatcher.php

@@ -13,6 +13,7 @@
 use Symfony\Component\Routing\Exception\ResourceNotFoundException;
 use Symfony\Component\Routing\Matcher\UrlMatcher;
 use Symfony\Component\Routing\RequestContext;
+use Concrete\Core\Session\SessionValidator;
 
 class DefaultDispatcher implements DispatcherInterface
 {
@@ -59,15 +60,17 @@ public function dispatch(SymfonyRequest $request)
 
     private function getEarlyDispatchResponse()
     {
-        $session = $this->app['session'];
-
-        if (!$session->has('uID')) {
-            User::verifyAuthTypeCookie();
-        }
+        $validator = $this->app->make(SessionValidator::class);
+        if ($validator->hasActiveSession()) {
+            $session = $this->app['session'];
+            if (!$session->has('uID')) {
+                User::verifyAuthTypeCookie();
+            }
 
-        // User may have been logged in, so lets check status again.
-        if ($session->has('uID') && $session->get('uID') > 0 && $response = $this->validateUser()) {
-            return $response;
+            // User may have been logged in, so lets check status again.
+            if ($session->has('uID') && $session->get('uID') > 0 && $response = $this->validateUser()) {
+                return $response;
+            }
         }
     }
 

concrete/src/Page/Controller/PageController.php

@@ -12,6 +12,7 @@
 use Concrete\Core\Support\Facade\Application;
 use Concrete\Core\Page\View\PageView;
 use Symfony\Component\HttpFoundation\Response;
+use Concrete\Core\Session\SessionValidator;
 
 class PageController extends Controller
 {
@@ -111,13 +112,17 @@ public function getReplacement()
 
     public function getSets()
     {
+        $app = $this->app;
         $sets = parent::getSets();
+        $validator = $app->make(SessionValidator::class);
         $session = Application::getFacadeApplication()->make('session');
-        if ($session->getFlashBag()->has('page_message')) {
-            $value = $session->getFlashBag()->get('page_message');
-            foreach ($value as $message) {
-                $sets[$message[0]] = $message[1];
-                $sets[$message[0].'IsHTML'] = isset($message[2]) && $message[2];
+        if ($validator->hasActiveSession()) {
+            if ($session->getFlashBag()->has('page_message')) {
+                $value = $session->getFlashBag()->get('page_message');
+                foreach ($value as $message) {
+                    $sets[$message[0]] = $message[1];
+                    $sets[$message[0].'IsHTML'] = isset($message[2]) && $message[2];
+                }
             }
         }
 

concrete/src/Session/SessionValidator.php

@@ -95,6 +95,12 @@ public function handleSessionValidation(SymfonySession $session)
         return $invalidate;
     }
 
+    public function hasActiveSession()
+    {
+        $cookie = $this->app['cookie'];
+        return $cookie->has($this->config->get('concrete.session.name'));
+    }
+
     /**
      * @return bool
      */

concrete/src/User/User.php

@@ -4,6 +4,7 @@
 use Concrete\Core\Foundation\ConcreteObject;
 use Concrete\Core\Http\Request;
 use Concrete\Core\Permission\Access\Entity\GroupEntity;
+use Concrete\Core\Session\SessionValidator;
 use Concrete\Core\Support\Facade\Application;
 use Concrete\Core\User\Group\Group;
 use Concrete\Core\Authentication\AuthenticationType;
@@ -68,16 +69,13 @@ public static function loginByUserID($uID)
     }
 
     /**
-     * Return true if user is logged in.
-     *
-     * @return bool
+     * @deprecated
+     * Use isRegistered() instead
      */
     public static function isLoggedIn()
     {
-        $app = Application::getFacadeApplication();
-        $session = $app['session'];
-
-        return $session->has('uID') && $session->get('uID') > 0;
+        $u = new User();
+        return $u->isRegistered();
     }
 
     /**
@@ -147,9 +145,10 @@ public function __construct()
     {
         $app = Application::getFacadeApplication();
         $args = func_get_args();
-        $session = $app['session'];
         $config = $app['config'];
-
+        $session = $app['session'];
+        $validator = $app->make(SessionValidator::class);
+        // We need to check for the cookie so that we don't auto create a session when this runs super early.
         if (isset($args[1])) {
             // first, we check to see if the username and password match the admin username and password
             // $username = uName normally, but if not it's email address
@@ -214,44 +213,38 @@ public function __construct()
             }
         } else {
             $req = Request::getInstance();
-            if ($req->hasCustomRequestUser()) {
-                $this->uID = null;
-                $this->uName = null;
-                $this->superUser = false;
-                $this->uDefaultLanguage = null;
-                $this->uTimezone = null;
-                $ux = $req->getCustomRequestUser();
-                if ($ux && is_object($ux)) {
-                    $this->uID = $ux->getUserID();
-                    $this->uName = $ux->getUserName();
-                    $this->superUser = $ux->getUserID() == USER_SUPER_ID;
-                    if ($ux->getUserDefaultLanguage()) {
-                        $this->uDefaultLanguage = $ux->getUserDefaultLanguage();
+            $this->uID = null;
+            $this->uName = null;
+            $this->superUser = false;
+            $this->uDefaultLanguage = null;
+            $this->uTimezone = null;
+            if ($validator->hasActiveSession() || $this->uID) {
+                if ($req->hasCustomRequestUser()) {
+                    $ux = $req->getCustomRequestUser();
+                    if ($ux && is_object($ux)) {
+                        $this->uID = $ux->getUserID();
+                        $this->uName = $ux->getUserName();
+                        $this->superUser = $ux->getUserID() == USER_SUPER_ID;
+                        if ($ux->getUserDefaultLanguage()) {
+                            $this->uDefaultLanguage = $ux->getUserDefaultLanguage();
+                        }
+                        $this->uTimezone = $ux->getUserTimezone();
                     }
-                    $this->uTimezone = $ux->getUserTimezone();
+                } else if ($session->has('uID')) {
+                    $this->uID = $session->get('uID');
+                    $this->uName = $session->get('uName');
+                    $this->uTimezone = $session->get('uTimezone');
+                    if ($session->has('uDefaultLanguage')) {
+                        $this->uDefaultLanguage = $session->get('uDefaultLanguage');
+                    }
+                    $this->superUser = ($session->get('uID') == USER_SUPER_ID) ? true : false;
                 }
-            } elseif ($session->has('uID')) {
-                $this->uID = $session->get('uID');
-                $this->uName = $session->get('uName');
-                $this->uTimezone = $session->get('uTimezone');
-                if ($session->has('uDefaultLanguage')) {
-                    $this->uDefaultLanguage = $session->get('uDefaultLanguage');
+                $this->uGroups = $this->_getUserGroups();
+                if (!isset($args[2]) && !$req->hasCustomRequestUser()) {
+                    $session->set('uGroups', $this->uGroups);
                 }
-                $this->superUser = ($session->get('uID') == USER_SUPER_ID) ? true : false;
-            } else {
-                $this->uID = null;
-                $this->uName = null;
-                $this->superUser = false;
-                $this->uDefaultLanguage = null;
-                $this->uTimezone = null;
-            }
-            $this->uGroups = $this->_getUserGroups();
-            if (!isset($args[2]) && !$req->hasCustomRequestUser()) {
-                $session->set('uGroups', $this->uGroups);
             }
         }
-
-        return $this;
     }
 
     /**
@@ -594,24 +587,27 @@ public function refreshUserGroups()
      */
     public function getUserAccessEntityObjects()
     {
+        $entities = [];
         $app = Application::getFacadeApplication();
-        $req = Request::getInstance();
         $session = $app['session'];
+        $validator = $app->make(SessionValidator::class);
+        if ($validator->hasActiveSession()) {
+            $req = Request::getInstance();
 
-        if ($req->hasCustomRequestUser()) {
-            // we bypass session-saving performance
-            // and we don't save them in session.
-            return PermissionAccessEntity::getForUser($this);
-        }
+            if ($req->hasCustomRequestUser()) {
+                // we bypass session-saving performance
+                // and we don't save them in session.
+                return PermissionAccessEntity::getForUser($this);
+            }
 
-        if ($session->has('accessEntities')) {
-            $entities = $session->get('accessEntities');
-        } else {
-            $entities = PermissionAccessEntity::getForUser($this);
-            $session->set('accessEntities', $entities);
-            $session->set('accessEntitiesUpdated', time());
+            if ($session->has('accessEntities')) {
+                $entities = $session->get('accessEntities');
+            } else {
+                $entities = PermissionAccessEntity::getForUser($this);
+                $session->set('accessEntities', $entities);
+                $session->set('accessEntitiesUpdated', time());
+            }
         }
-
         return $entities;
     }