From fd166004137a1d05322c1e142991ba1c5e00d42c Mon Sep 17 00:00:00 2001
From: Colin Mollenhour <colin@mollenhour.com>
Date: Tue, 4 Apr 2023 14:20:11 -0400
Subject: [PATCH] Squashed commit of the following:

commit 3c433b1a3211d1bcc7c9b39500e48431e8754633
Merge: cccf1a6cc6 35195f07aa
Author: Ng Kiat Siong <kiatsiong.ng@gmail.com>
Date:   Mon Feb 27 15:52:17 2023 +0800

    Merge branch '1.9.4.x' into unused-validator-session-expire-timestamp-2826

commit cccf1a6cc615fa73868bf0549f69f6b2e632883d
Author: Colin Mollenhour <colin@mollenhour.com>
Date:   Mon Jan 9 15:44:18 2023 -0500

    Fix session renew timestamp should be updated when customer changes password. Fixes #2826
---
 .../core/Mage/Checkout/Model/Type/Onepage.php |  4 +---
 .../Core/Model/Session/Abstract/Varien.php    | 19 ++++++++++++++++---
 .../core/Mage/Customer/Model/Customer.php     | 16 +++++++++++++++-
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/app/code/core/Mage/Checkout/Model/Type/Onepage.php b/app/code/core/Mage/Checkout/Model/Type/Onepage.php
index 4944fae791f..604fd8f6bf4 100644
--- a/app/code/core/Mage/Checkout/Model/Type/Onepage.php
+++ b/app/code/core/Mage/Checkout/Model/Type/Onepage.php
@@ -719,9 +719,7 @@ protected function _prepareNewCustomerQuote()
 
         Mage::helper('core')->copyFieldset('checkout_onepage_quote', 'to_customer', $quote, $customer);
         $customer->setPassword($customer->decryptPassword($quote->getPasswordHash()));
-        $passwordCreatedTime = $this->_checkoutSession->getSessionValidatorData()['session_expire_timestamp']
-            - Mage::getSingleton('core/cookie')->getLifetime();
-        $customer->setPasswordCreatedAt($passwordCreatedTime);
+        $customer->setPasswordCreatedAt(time());
         $quote->setCustomer($customer)
             ->setCustomerId(true);
         $quote->setPasswordHash('');
diff --git a/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php b/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
index 3bb9aa94510..03f331307ad 100644
--- a/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
+++ b/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
@@ -423,7 +423,7 @@ public function useValidateSessionExpire()
     }
 
     /**
-     * Use password creation timestamp in validator key
+     * Password creation timestamp must not be newer than last session renewal
      *
      * @return bool
      */
@@ -465,8 +465,8 @@ public function validate()
             }
 
             // Refresh expire timestamp
-            if ($this->useValidateSessionExpire()) {
-                $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_RENEW_TIMESTAMP] = time();
+            if ($this->useValidateSessionExpire() || $this->useValidateSessionPasswordTimestamp()) {
+                $this->setValidatorSessionRenewTimestamp(time());
                 $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_LIFETIME] = $this->getCookie()->getLifetime();
             }
         }
@@ -474,6 +474,18 @@ public function validate()
         return $this;
     }
 
+    /**
+     * Update the session's last legitimate renewal time (call when customer password is updated to avoid
+     * being logged out)
+     *
+     * @param int $timestamp
+     * @return void
+     */
+    public function setValidatorSessionRenewTimestamp($timestamp)
+    {
+        $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_RENEW_TIMESTAMP] = $timestamp;
+    }
+
     /**
      * Validate data
      *
@@ -563,6 +575,7 @@ public function getValidatorData()
             $parts[self::VALIDATOR_HTTP_USER_AGENT_KEY] = (string)$_SERVER['HTTP_USER_AGENT'];
         }
 
+        // get time when password was last changed
         if (isset($this->_data['visitor_data']['customer_id'])) {
             $parts[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] =
                 Mage::helper('customer')->getPasswordTimestamp($this->_data['visitor_data']['customer_id']);
diff --git a/app/code/core/Mage/Customer/Model/Customer.php b/app/code/core/Mage/Customer/Model/Customer.php
index b4280e327aa..083cd8d6daf 100644
--- a/app/code/core/Mage/Customer/Model/Customer.php
+++ b/app/code/core/Mage/Customer/Model/Customer.php
@@ -79,7 +79,6 @@
  * @method string getPasswordConfirmation()
  * @method $this setPasswordConfirmation(string $value)
  * @method int getPasswordCreatedAt()
- * @method $this setPasswordCreatedAt(int $value)
  * @method string getPasswordHash()
  * @method $this setPasswordHash(string $value)
  * @method string getPrefix()
@@ -327,6 +326,21 @@ public function changePassword($newPassword)
         return $this;
     }
 
+    /**
+     * Set time when password was changed to invalidate other sessions
+     *
+     * @param int $time
+     * @return $this
+     */
+    public function setPasswordCreatedAt($time)
+    {
+        $this->setData('password_created_at', $time);
+        if (session_status() === PHP_SESSION_ACTIVE) {
+            Mage::getSingleton('checkout/session')->setValidatorSessionRenewTimestamp($time);
+        }
+        return $this;
+    }
+
     /**
      * Get full customer name
      *