From b546556501fd5f705d4974deea8ef96edc422ccd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Fri, 8 Jan 2021 15:59:12 +0100 Subject: [PATCH] Remove the userID from the session cookie It was only added to support the username suggestion in the ACP login. --- ...e_com.woltlab.wcf_5.4_session_1_cookies.php | 7 +++---- .../PackageInstallationDispatcher.class.php | 5 ++--- .../system/session/SessionHandler.class.php | 18 +++++++----------- 3 files changed, 12 insertions(+), 18 deletions(-) diff --git a/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php b/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php index 50742a500d..eead9e0483 100644 --- a/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php +++ b/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php @@ -21,7 +21,7 @@ use wcf\util\HeaderUtil; $hasValidSessionCookie = false; if (!empty($_COOKIE[COOKIE_PREFIX."user_session"])) { $cookieValue = CryptoUtil::getValueFromSignedString($_COOKIE[COOKIE_PREFIX."user_session"]); - if ($cookieValue && \mb_strlen($cookieValue, '8bit') === 26) { + if ($cookieValue && \mb_strlen($cookieValue, '8bit') === 22) { $sessionID = \bin2hex(\mb_substr($cookieValue, 1, 20, '8bit')); if ($sessionID === WCF::getSession()->sessionID) { $hasValidSessionCookie = true; @@ -46,11 +46,10 @@ HeaderUtil::setCookie( "user_session", CryptoUtil::createSignedString( \pack( - 'CA20CN', + 'CA20C', 1, \hex2bin(WCF::getSession()->sessionID), - 0, - WCF::getUser()->userID + 0 ) ) ); diff --git a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php index 0f6ccff6af..161e00dfb2 100644 --- a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php +++ b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php @@ -244,11 +244,10 @@ class PackageInstallationDispatcher { // function during the setup. CryptoUtil::createSignedString( \pack( - 'CA20CN', + 'CA20C', 1, \hex2bin(WCF::getSession()->sessionID), - 0, - WCF::getUser()->userID + 0 ) ) ); diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php index 96e934ff78..20b09d87e1 100644 --- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php +++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php @@ -214,13 +214,13 @@ final class SessionHandler extends SingletonFactory { } if ($version === 1) { - if ($length !== 26) { + if ($length !== 22) { throw new \InvalidArgumentException(\sprintf( - 'Expected exactly 26 Bytes, %d given.', + 'Expected exactly 22 Bytes, %d given.', $length )); } - $data = \unpack('Cversion/A20sessionId/Ctimestep/NuserId', $value); + $data = \unpack('Cversion/A20sessionId/Ctimestep', $value); $data['sessionId'] = Hex::encode($data['sessionId']); return $data; @@ -293,11 +293,10 @@ final class SessionHandler extends SingletonFactory { } return CryptoUtil::createSignedString(\pack( - 'CA20CN', + 'CA20C', 1, Hex::decode($this->sessionID), - $this->getCookieTimestep(), - $this->user->userID ?: 0 + $this->getCookieTimestep() )); } @@ -353,11 +352,8 @@ final class SessionHandler extends SingletonFactory { $cookieData = $this->getParsedCookieData(); - // No refresh is needed if userId and timestep match up. - if ( - $cookieData['userId'] === $this->user->userID && - $cookieData['timestep'] === $this->getCookieTimestep() - ) { + // No refresh is needed if the timestep matches up. + if ($cookieData['timestep'] === $this->getCookieTimestep()) { return; } -- 2.20.1