Neuer EP SESSION_REGENERATED (#5565)

redaxo · Feb 7, 2023 · e01c290 · e01c290
1 parent 821ec31
commit e01c290
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 3 deletions.
diff --git a/rector.php b/rector.php
@@ -56,6 +56,8 @@
         'redaxo/src/addons/be_style/vendor',
         'redaxo/src/addons/debug/vendor',
         'redaxo/src/addons/phpmailer/vendor',
+
+        FirstClassCallableRector::class => ['redaxo/src/core/boot.php'],
     ]);
 
     $rectorConfig->parallel();

diff --git a/redaxo/src/core/boot.php b/redaxo/src/core/boot.php
@@ -139,6 +139,8 @@
     }
 }
 
+rex_extension::register('SESSION_REGENERATED', [rex_backend_login::class, 'sessionRegenerated']);
+
 if (isset($REX['LOAD_PAGE']) && $REX['LOAD_PAGE']) {
     unset($REX);
     require rex_path::core(rex::isBackend() ? 'backend.php' : 'frontend.php');

diff --git a/redaxo/src/core/lib/login/backend_login.php b/redaxo/src/core/lib/login/backend_login.php
@@ -20,6 +20,8 @@ class rex_backend_login extends rex_login
     /** @var rex_backend_password_policy */
     private $passwordPolicy;
 
+    private static bool $sessionRegenerationForBackendLogin = false;
+
     public function __construct()
     {
         parent::__construct();
@@ -302,4 +304,27 @@ public function getLoginPolicy(): rex_login_policy
 
         return new rex_login_policy($loginPolicy);
     }
+
+    public static function regenerateSessionId()
+    {
+        self::$sessionRegenerationForBackendLogin = true;
+        try {
+            parent::regenerateSessionId();
+        } finally {
+            self::$sessionRegenerationForBackendLogin = false;
+        }
+    }
+
+    /**
+     * @internal
+     * @param rex_extension_point<null> $ep
+     */
+    public static function sessionRegenerated(rex_extension_point $ep): void
+    {
+        if (self::$sessionRegenerationForBackendLogin) {
+            return;
+        }
+
+        rex_user_session::updateSessionId(rex_type::string($ep->getParam('previous_id')), rex_type::string($ep->getParam('new_id')));
+    }
 }
diff --git a/redaxo/src/core/lib/login/login.php b/redaxo/src/core/lib/login/login.php
@@ -281,7 +281,7 @@ public function checkLogin()
                 $this->user->setQuery($this->loginQuery, [':login' => $this->userLogin]);
                 if (1 == $this->user->getRows() && self::passwordVerify($this->userPassword, $this->user->getValue($this->passwordColumn), true)) {
                     $ok = true;
-                    self::regenerateSessionId();
+                    static::regenerateSessionId();
                     $this->setSessionVar(self::SESSION_START_TIME, time());
                     $this->setSessionVar(self::SESSION_USER_ID, $this->user->getValue($this->idColumn));
                     $this->setSessionVar(self::SESSION_PASSWORD, $this->user->getValue($this->passwordColumn));
@@ -513,9 +513,17 @@ public function getSessionVar($varname, $default = '')
      *
      * @return void
      */
-    protected static function regenerateSessionId()
+    public static function regenerateSessionId()
     {
-        if ('' != session_id()) {
+        /** @var bool $regenerated */
+        static $regenerated = false;
+        if ($regenerated) {
+            return;
+        }
+
+        if ('' != $previous = session_id()) {
+            $regenerated = true;
+
             session_regenerate_id(true);
 
             $cookieParams = static::getCookieParams();
@@ -524,6 +532,11 @@ protected static function regenerateSessionId()
             }
 
             rex_csrf_token::removeAll();
+
+            rex_extension::registerPoint(new rex_extension_point('SESSION_REGENERATED', null, [
+                'previous_id' => $previous,
+                'new_id' => session_id(),
+            ], true));
         }
 
         // session-id is shared between frontend/backend or even redaxo instances per server because it's the same http session

diff --git a/redaxo/src/core/lib/login/user_session.php b/redaxo/src/core/lib/login/user_session.php
@@ -64,6 +64,15 @@ public function updateLastActivity(rex_backend_login $login): void
         $this->storeCurrentSession($login);
     }
 
+    public static function updateSessionId(string $previousId, string $newId): void
+    {
+        rex_sql::factory()
+            ->setTable(rex::getTable('user_session'))
+            ->setWhere(['session_id' => $previousId])
+            ->setValue('session_id', $newId)
+            ->update();
+    }
+
     public static function clearExpiredSessions(): void
     {
         rex_sql::factory()