[BUGFIX] Fix session update with backend "Stay logged in" button

For unknown reasons the /ajax/login/refresh route has never been used (all the way back to v6), to request a session timeout update. Instead the route /ajax/login/timedout, *without* the skipSessionUpdate=1 parameter has been used to refresh an existing session. With the introduction of configurable route parameters in #81409 this inconsistency wasn't noticed and the skipSessionUpdate parameter has been moved into the route-configuration, which meant /ajax/login/timedout was always called with skipSessionUpdate=1, even as result of the "Stay logged in" button, where a session update was intended. Use the dedicated /ajax/login/refresh route in order to actually refresh the session. Releases: main, 11.5, 10.4 Resolves: #96978 Related: #81409 Change-Id: I6e7ac78fdfae49fa07ac6b75d64dd1c381ad7e2b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73624 Tested-by: Stefan Bürk <stefan@buerk.tech> Tested-by: core-ci <typo3@b13.com> Tested-by: Benjamin Franzke <bfr@qbus.de> Reviewed-by: Stefan Bürk <stefan@buerk.tech> Reviewed-by: Benjamin Franzke <bfr@qbus.de>
TYPO3 · Feb 21, 2022 · e58e14e · e58e14e
1 parent 3556a06
commit e58e14e
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 6 deletions.
diff --git a/Build/Sources/TypeScript/backend/Resources/Public/TypeScript/LoginRefresh.ts b/Build/Sources/TypeScript/backend/Resources/Public/TypeScript/LoginRefresh.ts
@@ -222,8 +222,12 @@ class LoginRefresh {
         class: 'btn btn-primary t3js-active',
         'data-action': 'refreshSession',
       }).text(TYPO3.lang['mess.refresh_login_refresh_button']).on('click', () => {
-        new AjaxRequest(TYPO3.settings.ajaxUrls.login_timedout).get().then((): void => {
+        new AjaxRequest(TYPO3.settings.ajaxUrls.login_refresh).get().then(async (response: AjaxResponse): Promise<void> => {
+          const data = await response.resolve();
           this.hideTimeoutModal();
+          if (!data.refresh.success) {
+            this.showLoginForm();
+          }
         });
       }),
     );

diff --git a/typo3/sysext/backend/Classes/Controller/AjaxLoginController.php b/typo3/sysext/backend/Classes/Controller/AjaxLoginController.php
@@ -32,7 +32,7 @@ class AjaxLoginController
     /**
      * Handles the actual login process, more specifically it defines the response.
      * The login details were sent in as part of the ajax request and automatically logged in
-     * the user inside the TYPO3 CMS bootstrap part of the ajax call. If that was successful, we have
+     * the user inside the BackendUserAuthenticator middleware. If that was successful, we have
      * a BE user and reset the timer and hide the login window.
      * If it was unsuccessful, we display that and show the login box again.
      *
@@ -85,17 +85,19 @@ public function preflightAction(ServerRequestInterface $request): ResponseInterf
     }
 
     /**
-     * Refreshes the login without needing login information. We just refresh the session.
+     * Handles the actual session refresh, more specifically it defines the response.
+     * The session refresh has been performed inside the BackendUserAuthenticator middleware.
+     * If that was successful, we have a BE user and report that information as response.
      *
      * @param ServerRequestInterface $request
      * @return ResponseInterface
      */
     public function refreshAction(ServerRequestInterface $request): ResponseInterface
     {
-        $this->getBackendUser()->checkAuthentication($request);
+        $backendUser = $this->getBackendUser();
         return new JsonResponse([
             'refresh' => [
-                'success' => true,
+                'success' => isset($backendUser->user['uid']),
             ],
         ]);
     }

diff --git a/typo3/sysext/backend/Resources/Public/JavaScript/LoginRefresh.js b/typo3/sysext/backend/Resources/Public/JavaScript/LoginRefresh.js