Do not change the userID of legacy sessions during update

This causes issues when combined with the `hideSession` parameter of
SessionHandler::changeUser() and is not required, because an existing session
will *never* change its userID.

1. During login (changing user to non-guest)
the previous user's session will be deleted together with the legacy session
matching the sessionID, a new session will be created, its assigned legacy
session will be deleted, then the userID will be adjusted and the session
reloaded, thus creating a legacy session with the appropriate userID (or
re-using an existing one of that newly logged-in user). The legacy session of
the previous user will never be reused as the legacy session for the new user.

2. During logout (changing user to guest)
the previous user session will simply be deleted together with the legacy
session matching the sessionID. A new session + legacy session for the guest
will be created for the next request. The legacy session of the user will never
be reused as the legacy session for the guest.

Resolves WoltLab/com.woltlab.pluginStore#39

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index f54eb30d56866b2170bf498fdbff65efd5424cc7..6c13bf058554c1e7458321d5a84c6509497d22b0 100644 (file)
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -1227,7 +1227,6 @@ final class SessionHandler extends SingletonFactory
             'requestURI' => $this->requestURI,
             'requestMethod' => $this->requestMethod,
             'lastActivityTime' => TIME_NOW,
-            'userID' => $this->user->userID,
             'sessionID' => $this->sessionID,
         ];
         if (!\class_exists('wcf\system\CLIWCF', false) && !$this->disableTracking) {