Differential D477

INP-1871 - Properly dispose session during logout workflow
ClosedPublic
Actions

Authored by alex on Jul 29 2024, 8:24 AM.

Details

Reviewers

erik

Commits

rINP16794: Fixes INP-1871 - Properly dispose session during logout workflow

Test Plan

don't apply this patch
login to the Admin Console
enable to DBG_REDIRECT in the /system/debug.php (assuming, that Debug Mode is enabled as well)
press the Logout link in the top frame
confirm, this SQL is present in the Debugger Report:

DELETE FROM UserSessionData
WHERE SessionId = '' AND VariableName = 'priority_deleted';

click on the link, that DBG_REDIRECT shown instead of a page content
click on the link, that DBG_REDIRECT shown instead of a page content
confirm, that the Admin Login page is displayed
apply the patch
login to the Admin Console (click on the any DBG_REDIRECT shown links as needed)
press the Logout link in the top frame
confirm, that SQL, that removes the priority_deleted session variable has disappeared

Diff Detail

Repository

rINP In-Portal

Lint

Automatic diff as part of commit; lint not applicable.

Unit

Automatic diff as part of commit; unit tests not applicable.

Event Timeline

alex created this revision.Jul 29 2024, 8:24 AM

Herald added a reviewer: erik. · View Herald TranscriptJul 29 2024, 8:24 AM

alex requested review of this revision.Jul 29 2024, 8:24 AM

Harbormaster completed remote builds in B1269: Diff 1225.Jul 29 2024, 8:24 AM

alex edited the test plan for this revision. (Show Details)Jul 29 2024, 8:24 AM

Tested by using PHPStorm+XDebug with breakpoint in the SessionStorage::RemoveFromData method. Before patch applying SQL, that removes the priority_deleted session variable was executed. After patch applying SQL, that removes the priority_deleted session variable was not executed, because SessionSet property is set to false.

Testing by plan was failed because:

Debugger Report was broken (after logout before patch applying).
Shoudl follow 2 redirect links after kogout to get login page, not one:

https://erik-php74.office.intechnic.com/SVN/5.2.x/admin/index.php?env=-index%3Am0--1--s-%3Au-----
https://erik-php74.office.intechnic.com/SVN/5.2.x/admin/index.php?env=-login%3Am0--1--s-%3Au-----&next_template=index

This revision is now accepted and ready to land.Jul 29 2024, 9:43 AM

alex edited the test plan for this revision. (Show Details)Jul 29 2024, 9:48 AM

Closed by commit rINP16794: Fixes INP-1871 - Properly dispose session during logout workflow (authored by alex, committed by ). · Explain WhyJul 29 2024, 9:57 AM

This revision was automatically updated to reflect the committed changes.

alex added a child revision: D479: INP-1725 - Introduce secure Session Key generation/storage.Aug 2 2024, 5:48 AM

alex mentioned this in D479: INP-1725 - Introduce secure Session Key generation/storage.Aug 2 2024, 11:17 AM

Revision Contents
Changeset List

			Path	Packages
M			branches/5.2.x/core/kernel/session/inp_session.php (1 line)

Diff	ID	Base	Description	Created	Lint	Unit
Base			Base
Diff 1	1225	16791		Jul 29 2024, 8:24 AM	★	★
Diff 2	1226	16793	rINP16794	Jul 29 2024, 9:57 AM	★	★

Status	Author	Revision
Closed	alex	D479 INP-1725 - Introduce secure Session Key generation/storage
Closed	alex	D476 INP-1870 - Save the session to the database immediately after the user login
Closed	alex	D477 INP-1871 - Properly dispose session during logout workflow

Diff 1226

View Options

branches/5.2.x/core/kernel/session/inp_session.php

INP-1871 - Properly dispose session during logout workflowClosedPublicActions