Remove the userID from the session cookie

It was only added to support the username suggestion in the ACP login.

diff --git a/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php b/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php
index 50742a500d0c8b6eec4185115161fd9281f1ef9f..eead9e0483e1a278ed1faef1885024e6944d9def 100644 (file)
--- a/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php
+++ b/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php
@@ -21,7 +21,7 @@ use wcf\util\HeaderUtil;
 $hasValidSessionCookie = false;
 if (!empty($_COOKIE[COOKIE_PREFIX."user_session"])) {
        $cookieValue = CryptoUtil::getValueFromSignedString($_COOKIE[COOKIE_PREFIX."user_session"]);
-       if ($cookieValue && \mb_strlen($cookieValue, '8bit') === 26) {
+       if ($cookieValue && \mb_strlen($cookieValue, '8bit') === 22) {
                $sessionID = \bin2hex(\mb_substr($cookieValue, 1, 20, '8bit'));
                if ($sessionID === WCF::getSession()->sessionID) {
                        $hasValidSessionCookie = true;
@@ -46,11 +46,10 @@ HeaderUtil::setCookie(
        "user_session",
        CryptoUtil::createSignedString(
                \pack(
-                       'CA20CN',
+                       'CA20C',
                        1,
                        \hex2bin(WCF::getSession()->sessionID),
-                       0,
-                       WCF::getUser()->userID
+                       0
                )
        )
 );

diff --git a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
index 0f6ccff6af42b1d44781f1d7e486df45db786334..161e00dfb29cef6f22800f2f5cb2455cc17043f0 100644 (file)
--- a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
+++ b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
@@ -244,11 +244,10 @@ class PackageInstallationDispatcher {
                                                // function during the setup.
                                                CryptoUtil::createSignedString(
                                                        \pack(
-                                                               'CA20CN',
+                                                               'CA20C',
                                                                1,
                                                                \hex2bin(WCF::getSession()->sessionID),
-                                                               0,
-                                                               WCF::getUser()->userID
+                                                               0
                                                        )
                                                )
                                        );

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index 96e934ff788069df333d8b1f8a1604d8588a1115..20b09d87e15a85885c7c7dacb765cc88bcfdc7c0 100644 (file)
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -214,13 +214,13 @@ final class SessionHandler extends SingletonFactory {
                }
                
                if ($version === 1) {
-                       if ($length !== 26) {
+                       if ($length !== 22) {
                                throw new \InvalidArgumentException(\sprintf(
-                                       'Expected exactly 26 Bytes, %d given.',
+                                       'Expected exactly 22 Bytes, %d given.',
                                        $length
                                ));
                        }
-                       $data = \unpack('Cversion/A20sessionId/Ctimestep/NuserId', $value);
+                       $data = \unpack('Cversion/A20sessionId/Ctimestep', $value);
                        $data['sessionId'] = Hex::encode($data['sessionId']);
                        
                        return $data;
@@ -293,11 +293,10 @@ final class SessionHandler extends SingletonFactory {
                }
                
                return CryptoUtil::createSignedString(\pack(
-                       'CA20CN',
+                       'CA20C',
                        1,
                        Hex::decode($this->sessionID),
-                       $this->getCookieTimestep(),
-                       $this->user->userID ?: 0
+                       $this->getCookieTimestep()
                ));
        }
        
@@ -353,11 +352,8 @@ final class SessionHandler extends SingletonFactory {
                
                $cookieData = $this->getParsedCookieData();
                
-               // No refresh is needed if userId and timestep match up.
-               if (
-                       $cookieData['userId'] === $this->user->userID &&
-                       $cookieData['timestep'] === $this->getCookieTimestep()
-               ) {
+               // No refresh is needed if the timestep matches up.
+               if ($cookieData['timestep'] === $this->getCookieTimestep()) {
                        return;
                }