yiisoft
Fix login cookie destroyed after authKey change (#19621)
I needed to modify yiiunit\framework\web\UserIdentity to be able to mock change of authKey for tests. UserIdentity::reset() restores authKey for other tests and is called from tearDown() method.
| Q | A |
|---|---|
| Is bugfix? | ✔️ |
| New feature? | ❌ |
| Breaks BC? | ❌ |
| Fixed issues | #19621 |
Sorry, I noticed that I didn't update issue number in branch name. Is it issue?
The change is controversial. The change of auth key should invalidate sessions.
@samdark
After #18540, change of authKey invalidates sessions. But documentation says calling yii\web\User::switchIdentity() or yii\web\User::login() will prevent logout of current session, which is done for user experience (only session that caused change of authKey is restored).
Issue with that solution is, while session is restored, remember me cookie is destroyed. My solution keeps both session and remember me cookie (if exists for current user), but still only for session which caused change of authKey - all other sessions are still logged out as intended.
Why I think preserving remember me cookie is important? User thinks his account is compromised and changes password to log out other sessions. If he is logged out on next visit, despite fact that he was logged in with "remember me" option, he will think his account is still compromised (someone logged him out).
See #19621
@samdark can you check failing tests? My commit passed tests, only after merging master branch to my branch errors occurred. Also, I see that many other pull requests have failed tests. Is something broken with tests or pull request which fails tests is merged into master?
Changing authKey of a user is meant to invalidate sessions including authentication cookies. But if the user himself initiates it then he's unlikely want to be logged out in the process.