From 38bb6e1477f7ddcc4eab6ab2f0ab3bb435ce1071 Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Mon, 18 Sep 2017 10:33:19 +0200 Subject: [PATCH] Fix duplicate session token after remembered login On a remembered login session, we create a new session token in the database with the values of the old one. As we actually don't need the old session token anymore, we can delete it right away. Signed-off-by: Christoph Wurst --- lib/private/Authentication/Token/DefaultTokenProvider.php | 1 + .../lib/Authentication/Token/DefaultTokenProviderTest.php | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/lib/private/Authentication/Token/DefaultTokenProvider.php b/lib/private/Authentication/Token/DefaultTokenProvider.php index a1a7e83ea21c6..80bcc4aeac8d7 100644 --- a/lib/private/Authentication/Token/DefaultTokenProvider.php +++ b/lib/private/Authentication/Token/DefaultTokenProvider.php @@ -195,6 +195,7 @@ public function renewSessionToken($oldSessionId, $sessionId) { $newToken->setRemember($token->getRemember()); $newToken->setLastActivity($this->time->getTime()); $this->mapper->insert($newToken); + $this->mapper->delete($token); } /** diff --git a/tests/lib/Authentication/Token/DefaultTokenProviderTest.php b/tests/lib/Authentication/Token/DefaultTokenProviderTest.php index 2c8c2d7e1968b..96fdbaa176f51 100644 --- a/tests/lib/Authentication/Token/DefaultTokenProviderTest.php +++ b/tests/lib/Authentication/Token/DefaultTokenProviderTest.php @@ -318,6 +318,10 @@ public function testRenewSessionTokenWithoutPassword() { ->expects($this->at(1)) ->method('insert') ->with($newToken); + $this->mapper + ->expects($this->at(2)) + ->method('delete') + ->with($token); $this->tokenProvider->renewSessionToken('oldId', 'newId'); } @@ -384,6 +388,10 @@ public function testRenewSessionTokenWithPassword() { ->expects($this->at(1)) ->method('insert') ->with($this->equalTo($newToken)); + $this->mapper + ->expects($this->at(2)) + ->method('delete') + ->with($token); $this->tokenProvider->renewSessionToken('oldId', 'newId'); }