From 346def0ae1eaee9b3f1ee35575550b320ad3f0eb Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Wed, 12 May 2021 11:49:52 +0200 Subject: [PATCH] Do not change the userID of legacy sessions during update This causes issues when combined with the `hideSession` parameter of SessionHandler::changeUser() and is not required, because an existing session will *never* change its userID. 1. During login (changing user to non-guest) the previous user's session will be deleted together with the legacy session matching the sessionID, a new session will be created, its assigned legacy session will be deleted, then the userID will be adjusted and the session reloaded, thus creating a legacy session with the appropriate userID (or re-using an existing one of that newly logged-in user). The legacy session of the previous user will never be reused as the legacy session for the new user. 2. During logout (changing user to guest) the previous user session will simply be deleted together with the legacy session matching the sessionID. A new session + legacy session for the guest will be created for the next request. The legacy session of the user will never be reused as the legacy session for the guest. Resolves WoltLab/com.woltlab.pluginStore#39 --- .../install/files/lib/system/session/SessionHandler.class.php | 1 - 1 file changed, 1 deletion(-) diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php index f54eb30d56..6c13bf0585 100644 --- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php +++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php @@ -1227,7 +1227,6 @@ final class SessionHandler extends SingletonFactory 'requestURI' => $this->requestURI, 'requestMethod' => $this->requestMethod, 'lastActivityTime' => TIME_NOW, - 'userID' => $this->user->userID, 'sessionID' => $this->sessionID, ]; if (!\class_exists('wcf\system\CLIWCF', false) && !$this->disableTracking) { -- 2.20.1