Unused 'VALIDATOR_SESSION_EXPIRE_TIMESTAMP'

[pquerner]

Preconditions (*)

1. Using OpenMage Version 19.4.8

Steps to reproduce (*)

1. Guest Checkout > Wants to Create a account with order
2. $passwordCreatedTime = $this->_checkoutSession->getSessionValidatorData()['session_expire_timestamp'] does not exist in array
3. I saw that the constant VALIDATOR_SESSION_EXPIRE_TIMESTAMP wasnt used. In the original core I saw this piece of code: $parts[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] = time() + $this->getCookie()->getLifetime(); in \Mage_Core_Model_Session_Abstract_Varien::getValidatorData

Expected result (*)

1. No php error notice happens, checkout proceeds successfully

Actual result (*)

1. PHP error notice happens, breaks checkout (if notices are configured to be bad)

[sreichel]

I saw that the constant VALIDATOR_SESSION_EXPIRE_TIMESTAMP wasnt used. In the original core I saw this piece of code:

Mhh, this code has been removed with #546 and was added to https://github.com/OpenMage/magento-lts/releases/tag/v19.4.17.

Can you please add some information?

[pquerner]

that constant isnt unused, its used (not by the constant sadly) here:

magento-lts/app/code/core/Mage/Checkout/Model/Type/Onepage.php

Line 728 in 9182521

$passwordCreatedTime = $this->_checkoutSession->getSessionValidatorData()['session_expire_timestamp']

(original core
https://github.com/OpenMage/magento-mirror/blob/98da842ef7aa59b8b8fee642de8b0b6deec55c31/app/code/core/Mage/Checkout/Model/Type/Onepage.php#L732
)

but since 'session_expire_timestamp' (or rather 'VALIDATOR_SESSION_EXPIRE_TIMESTAMP') isnt set anymore it results in a php warning. (accessing inaccessible array key)

previous core:
https://github.com/OpenMage/magento-mirror/blob/98da842ef7aa59b8b8fee642de8b0b6deec55c31/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php#L525

openmage:

magento-lts/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php

Line 542 in 9182521

public function getValidatorData()

so I guess the issue title is wrong

[sreichel]

so I guess the issue title is wrong

Thanks for making it more clear :)

[pquerner]

Do you have a better title? :D

[sreichel]

No.

Btw .. assigned @colinmollenhour b/c he should know best about this changes. Hoping for review.

[colinmollenhour]

Ahh yes, this should have been removed. Any reason this can't just be like so?

$customer->setPasswordCreatedAt(time());

Is it trying to back-date the timestamp to when the session was started initially? It seems this wouldn't be accurate and I fail to see the value in it..

[pquerner]

I've no idea whats the reason behind that chosen "creationDate". Probably CURRENT_TIMESTAMP will suffice.

[colinmollenhour]

After investigating further it seems this is meant to invalidate other sessions whenever a customer changes their password. I pushed PR #2916 for further discussion/review.