FOUR-13942 the kill existing session in device restriction is not working correctly

ProcessMaker/Http/Kernel.php

@@ -34,6 +34,7 @@ class Kernel extends HttpKernel
             \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
             \ProcessMaker\Http\Middleware\SessionStarted::class,
             \ProcessMaker\Http\Middleware\AuthenticateSession::class,
+            \ProcessMaker\Http\Middleware\SessionControlKill::class,
             \Illuminate\View\Middleware\ShareErrorsFromSession::class,
             //\ProcessMaker\Http\Middleware\VerifyCsrfToken::class,
             \ProcessMaker\Http\Middleware\SetLocale::class,       // This is disabled until all routes are handled by our new engine

ProcessMaker/Http/Middleware/SessionControlKill.php

@@ -25,25 +25,27 @@ class SessionControlKill
      */
     public function handle(Request $request, Closure $next): Response
     {
-        $user = Auth::user();
-        $userSession = $request->session()->get('user_session');
-
-        if ($userSession) {
-            $configIP = Setting::configByKey(self::IP_RESTRICTION_KEY);
-            $configDevice = Setting::configByKey(self::DEVICE_RESTRICTION_KEY);
-
-            $session = $this->getActiveSession($user, $userSession);
-
-            if ($session) {
-                // Checks if the session has expired based on the IP address
-                $isSessionExpiredByIP = $configIP === '2' && $this->isSessionExpiredByIP($session, $request);
-                // Checks if the session has expired based on the device
-                $isSessionExpiredByDevice = $configDevice === '2' && $this->isSessionExpiredByDevice($session);
-                // Checks if the session has expired except the one within the active device
-                $isAnyRestrictionEnabled = $configIP === '1' || $configDevice === '1';
-
-                if ($isSessionExpiredByIP || $isSessionExpiredByDevice || $isAnyRestrictionEnabled) {
-                    return $this->killSessionAndRedirect($session);
+        if (Auth::check()) {
+            $user = Auth::user();
+            $userSession = $request->session()->get('user_session');
+
+            if ($userSession) {
+                $configIP = Setting::configByKey(self::IP_RESTRICTION_KEY);
+                $configDevice = Setting::configByKey(self::DEVICE_RESTRICTION_KEY);
+
+                $session = $this->getActiveSession($user, $userSession);
+
+                if ($session) {
+                    // Checks if the session has expired based on the IP address
+                    $isSessionExpiredByIP = $configIP === '2' && $this->isSessionExpiredByIP($session, $request);
+                    // Checks if the session has expired based on the device
+                    $isSessionExpiredByDevice = $configDevice === '2' && $this->isSessionExpiredByDevice($session);
+                    // Checks if the session has expired except the one within the active device
+                    $isAnyRestrictionEnabled = $configIP === '1' || $configDevice === '1';
+
+                    if ($isSessionExpiredByIP || $isSessionExpiredByDevice || $isAnyRestrictionEnabled) {
+                        return $this->killSessionAndRedirect($session);
+                    }
                 }
             }
         }
@@ -57,8 +59,8 @@ private function getActiveSession(User $user, string $userSession): ?UserSession
             ->where([
                 ['is_active', true],
                 ['token', $userSession],
-                ['expired_date', '!=', null],
             ])
+            ->whereNotNull('expired_date')
             ->first();
     }