Fixed session renew timestamp should be updated when customer changes…

… password (#2916)
OpenMage · Apr 13, 2023 · 7584c1c · 7584c1c
1 parent 3a8a9f0
commit 7584c1c
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 7 deletions.
diff --git a/app/code/core/Mage/Checkout/Model/Type/Onepage.php b/app/code/core/Mage/Checkout/Model/Type/Onepage.php
@@ -719,9 +719,7 @@ protected function _prepareNewCustomerQuote()
 
         Mage::helper('core')->copyFieldset('checkout_onepage_quote', 'to_customer', $quote, $customer);
         $customer->setPassword($customer->decryptPassword($quote->getPasswordHash()));
-        $passwordCreatedTime = $this->_checkoutSession->getSessionValidatorData()['session_expire_timestamp']
-            - Mage::getSingleton('core/cookie')->getLifetime();
-        $customer->setPasswordCreatedAt($passwordCreatedTime);
+        $customer->setPasswordCreatedAt(time());
         $quote->setCustomer($customer)
             ->setCustomerId(true);
         $quote->setPasswordHash('');

diff --git a/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php b/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
@@ -418,7 +418,7 @@ public function useValidateSessionExpire()
     }
 
     /**
-     * Use password creation timestamp in validator key
+     * Password creation timestamp must not be newer than last session renewal
      *
      * @return bool
      */
@@ -460,15 +460,27 @@ public function validate()
             }
 
             // Refresh expire timestamp
-            if ($this->useValidateSessionExpire()) {
-                $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_RENEW_TIMESTAMP] = time();
+            if ($this->useValidateSessionExpire() || $this->useValidateSessionPasswordTimestamp()) {
+                $this->setValidatorSessionRenewTimestamp(time());
                 $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_LIFETIME] = $this->getCookie()->getLifetime();
             }
         }
 
         return $this;
     }
 
+    /**
+     * Update the session's last legitimate renewal time (call when customer password is updated to avoid
+     * being logged out)
+     *
+     * @param int $timestamp
+     * @return void
+     */
+    public function setValidatorSessionRenewTimestamp($timestamp)
+    {
+        $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_RENEW_TIMESTAMP] = $timestamp;
+    }
+
     /**
      * Validate data
      *
@@ -558,6 +570,7 @@ public function getValidatorData()
             $parts[self::VALIDATOR_HTTP_USER_AGENT_KEY] = (string)$_SERVER['HTTP_USER_AGENT'];
         }
 
+        // get time when password was last changed
         if (isset($this->_data['visitor_data']['customer_id'])) {
             $parts[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] =
                 Mage::helper('customer')->getPasswordTimestamp($this->_data['visitor_data']['customer_id']);

diff --git a/app/code/core/Mage/Customer/Model/Customer.php b/app/code/core/Mage/Customer/Model/Customer.php
@@ -79,7 +79,6 @@
  * @method string getPasswordConfirmation()
  * @method $this setPasswordConfirmation(string $value)
  * @method int getPasswordCreatedAt()
- * @method $this setPasswordCreatedAt(int $value)
  * @method string getPasswordHash()
  * @method $this setPasswordHash(string $value)
  * @method string getPrefix()
@@ -327,6 +326,21 @@ public function changePassword($newPassword)
         return $this;
     }
 
+    /**
+     * Set time when password was changed to invalidate other sessions
+     *
+     * @param int $time
+     * @return $this
+     */
+    public function setPasswordCreatedAt($time)
+    {
+        $this->setData('password_created_at', $time);
+        if (session_status() === PHP_SESSION_ACTIVE) {
+            Mage::getSingleton('checkout/session')->setValidatorSessionRenewTimestamp($time);
+        }
+        return $this;
+    }
+
     /**
      * Get full customer name
      *