Update the token on session regeneration

apps/files_sharing/lib/Controller/ShareController.php

@@ -217,7 +217,7 @@ public function authenticate($token, $redirect, $password = '') {
 	private function linkShareAuth(\OCP\Share\IShare $share, $password = null) {
 		if ($password !== null) {
 			if ($this->shareManager->checkPassword($share, $password)) {
-				$this->session->regenerateId();
+				$this->session->regenerateId(true, true);
 				$this->session->set('public_link_authenticated', (string)$share->getId());
 			} else {
 				$this->emitAccessShareHook($share, 403, 'Wrong password');

lib/private/Session/CryptoSessionData.php

@@ -150,10 +150,11 @@ public function clear() {
 	 * Wrapper around session_regenerate_id
 	 *
 	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
+	 * @param bool $updateToken Wheater to update the associated auth token
 	 * @return void
 	 */
-	public function regenerateId(bool $deleteOldSession = true) {
-		$this->session->regenerateId($deleteOldSession);
+	public function regenerateId(bool $deleteOldSession = true, bool $updateToken = false) {
+		$this->session->regenerateId($deleteOldSession, $updateToken);
 	}
 
 	/**

lib/private/Session/Internal.php

@@ -30,6 +30,10 @@
 
 namespace OC\Session;
 
+use OC\Authentication\Exceptions\InvalidTokenException;
+use OC\Authentication\Token\IProvider;
+use OC\SystemConfig;
+use OCP\IConfig;
 use OCP\Session\Exceptions\SessionNotAvailableException;
 
 /**
@@ -111,14 +115,41 @@ public function close() {
 	 * Wrapper around session_regenerate_id
 	 *
 	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
+	 * @param bool $updateToken Wheater to update the associated auth token
 	 * @return void
 	 */
-	public function regenerateId(bool $deleteOldSession = true) {
+	public function regenerateId(bool $deleteOldSession = true, bool $updateToken = false) {
+		$oldId = null;
+
+		if ($updateToken) {
+			// Get the old id to update the token
+			try {
+				$oldId = $this->getId();
+			} catch (SessionNotAvailableException $e) {
+				// We can't update a token if there is no previous id
+				$updateToken = false;
+			}
+		}
+
 		try {
 			@session_regenerate_id($deleteOldSession);
 		} catch (\Error $e) {
 			$this->trapError($e->getCode(), $e->getMessage());
 		}
+
+		if ($updateToken) {
+			// Get the new id to update the token
+			$newId = $this->getId();
+
+			/** @var IProvider $tokenProvider */
+			$tokenProvider = \OC::$server->query(IProvider::class);
+
+			try {
+				$tokenProvider->renewSessionToken($oldId, $newId);
+			} catch (InvalidTokenException $e) {
+				// Just ignore
+			}
+		}
 	}
 
 	/**

lib/private/Session/Memory.php

@@ -91,7 +91,7 @@ public function clear() {
 	 *
 	 * @param bool $deleteOldSession
 	 */
-	public function regenerateId(bool $deleteOldSession = true) {}
+	public function regenerateId(bool $deleteOldSession = true, bool $updateToken = false) {}
 
 	/**
 	 * Wrapper around session_id

lib/private/User/Session.php

@@ -626,6 +626,8 @@ public function createSessionToken(IRequest $request, $uid, $loginName, $passwor
 		try {
 			$sessionId = $this->session->getId();
 			$pwd = $this->getPassword($password);
+			// Make sure the current sessionId has no leftover tokens
+			$this->tokenProvider->invalidateToken($sessionId);
 			$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
 			return true;
 		} catch (SessionNotAvailableException $ex) {

lib/public/ISession.php

@@ -96,10 +96,11 @@ public function close();
 	 * Wrapper around session_regenerate_id
 	 *
 	 * @param bool $deleteOldSession Whether to delete the old associated session file or not.
+	 * @param bool $updateToken Wheater to update the associated auth token
 	 * @return void
-	 * @since 9.0.0
+	 * @since 9.0.0, $updateToken added in 14.0.0
 	 */
-	public function regenerateId(bool $deleteOldSession = true);
+	public function regenerateId(bool $deleteOldSession = true, bool $updateToken = false);
 
 	/**
 	 * Wrapper around session_id