From a3157af700b3b46bdfd566fc87d54e7b917d1e49 Mon Sep 17 00:00:00 2001 From: Julian Maurice Date: Mon, 6 Jan 2014 10:00:41 +0100 Subject: [PATCH] Bug 10952: (follow-up) Always flush session after deletion This is recommended in CGI::Session documentation. Signed-off-by: Charlene Criton Signed-off-by: Kyle M Hall Signed-off-by: Galen Charlton (cherry picked from commit 939d68ea7b0fb7c0649531b324ad4938a5360c0e) Signed-off-by: Fridolin Somers --- C4/Auth.pm | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 7bc7bd9f00..736cb64ae5 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -690,16 +690,16 @@ sub checkauth { #first we need to clear the anonymous session... $debug and warn "query id = $q_userid but session id = $s_userid"; $anon_search_history = $session->param('search_history'); - $session->flush; $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); $sessionID = undef; $userid = undef; } elsif ($logout) { # voluntary logout the user - $session->flush; $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); #_session_log(sprintf "%20s from %16s logged out at %30s (manually).\n", $userid,$ip,(strftime "%c",localtime)); $sessionID = undef; @@ -712,7 +712,10 @@ sub checkauth { elsif ( !$lasttime || ($lasttime < time() - $timeout) ) { # timed logout $info{'timed_out'} = 1; - $session->delete() if $session; + if ($session) { + $session->delete(); + $session->flush; + } C4::Context->_unset_userenv($sessionID); #_session_log(sprintf "%20s from %16s logged out at %30s (inactivity).\n", $userid,$ip,(strftime "%c",localtime)); $userid = undef; @@ -724,6 +727,7 @@ sub checkauth { $info{'newip'} = $ENV{'REMOTE_ADDR'}; $info{'different_ip'} = 1; $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); #_session_log(sprintf "%20s from %16s logged out at %30s (ip changed to %16s).\n", $userid,$ip,(strftime "%c",localtime), $info{'newip'}); $sessionID = undef; @@ -1201,6 +1205,7 @@ sub check_api_auth { if ( $lasttime < time() - $timeout ) { # time out $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); $userid = undef; $sessionID = undef; @@ -1208,6 +1213,7 @@ sub check_api_auth { } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) { # IP address changed $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); $userid = undef; $sessionID = undef; @@ -1224,6 +1230,7 @@ sub check_api_auth { return ("ok", $cookie, $sessionID); } else { $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); $userid = undef; $sessionID = undef; @@ -1440,6 +1447,7 @@ sub check_cookie_auth { if ( $lasttime < time() - $timeout ) { # time out $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); $userid = undef; $sessionID = undef; @@ -1447,6 +1455,7 @@ sub check_cookie_auth { } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) { # IP address changed $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); $userid = undef; $sessionID = undef; @@ -1458,6 +1467,7 @@ sub check_cookie_auth { return ("ok", $sessionID); } else { $session->delete(); + $session->flush; C4::Context->_unset_userenv($sessionID); $userid = undef; $sessionID = undef; -- 2.39.5