Merge branch 'MC-38309' of https://github.com/magento-mpi/magento2ce into TANGO-PR-10-21-2020-24

thiaramus · thiaramus · commit 5eaf08e3ff37 · 2020-10-29T10:18:33.000-05:00
diff --git a/app/code/Magento/Customer/Api/SessionCleanerInterface.php b/app/code/Magento/Customer/Api/SessionCleanerInterface.php
@@ -13,7 +13,7 @@
 interface SessionCleanerInterface
 {
     /**
-     * Destroy all active customer sessions related to given customer id, including current session.
+     * Destroy all active customer sessions related to given customer except current session.
      *
      * @param int $customerId
      * @return void
diff --git a/app/code/Magento/Customer/Controller/Account/EditPost.php b/app/code/Magento/Customer/Controller/Account/EditPost.php
@@ -33,7 +33,8 @@
 use Magento\Framework\Phrase;
 
 /**
- * Class EditPost
+ * Customer edit account information controller
+ *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class EditPost extends AbstractAccount implements CsrfAwareActionInterface, HttpPostActionInterface
@@ -185,6 +186,7 @@ public function validateForCsrf(RequestInterface $request): ?bool
      * Change customer email or password action
      *
      * @return \Magento\Framework\Controller\Result\Redirect
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      */
     public function execute()
     {
@@ -217,6 +219,12 @@ public function execute()
                 );
                 $this->dispatchSuccessEvent($customerCandidateDataObject);
                 $this->messageManager->addSuccessMessage(__('You saved the account information.'));
+                // logout from current session if password changed.
+                if ($isPasswordChanged) {
+                    $this->session->logout();
+                    $this->session->start();
+                    return $resultRedirect->setPath('customer/account/login');
+                }
                 return $resultRedirect->setPath('customer/account');
             } catch (InvalidEmailOrPasswordException $e) {
                 $this->messageManager->addErrorMessage($this->escaper->escapeHtml($e->getMessage()));
diff --git a/app/code/Magento/Customer/Controller/Account/ResetPasswordPost.php b/app/code/Magento/Customer/Controller/Account/ResetPasswordPost.php
@@ -14,9 +14,7 @@
 use Magento\Customer\Model\Customer\CredentialsValidator;
 
 /**
- * Class ResetPasswordPost
- *
- * @package Magento\Customer\Controller\Account
+ * Customer reset password controller
  */
 class ResetPasswordPost extends \Magento\Customer\Controller\AbstractAccount implements HttpPostActionInterface
 {
@@ -91,6 +89,11 @@ public function execute()
                 $resetPasswordToken,
                 $password
             );
+            // logout from current session if password changed.
+            if ($this->session->isLoggedIn()) {
+                $this->session->logout();
+                $this->session->start();
+            }
             $this->session->unsRpToken();
             $this->messageManager->addSuccessMessage(__('You updated your password.'));
             $resultRedirect->setPath('*/*/login');
diff --git a/app/code/Magento/Customer/Model/Session/SessionCleaner.php b/app/code/Magento/Customer/Model/Session/SessionCleaner.php
@@ -71,13 +71,6 @@ public function __construct(
      */
     public function clearFor(int $customerId): void
     {
-        if ($this->sessionManager->isSessionExists()) {
-            //delete old session and move data to the new session
-            //use this instead of $this->sessionManager->regenerateId because last one doesn't delete old session
-            // phpcs:ignore Magento2.Functions.DiscouragedFunction
-            session_regenerate_id(true);
-        }
-
         $sessionLifetime = $this->scopeConfig->getValue(
             Config::XML_PATH_COOKIE_LIFETIME,
             ScopeInterface::SCOPE_STORE
@@ -89,6 +82,8 @@ public function clearFor(int $customerId): void
         $visitorCollection = $this->visitorCollectionFactory->create();
         $visitorCollection->addFieldToFilter('customer_id', $customerId);
         $visitorCollection->addFieldToFilter('last_visit_at', ['from' => $activeSessionsTime]);
+        $visitorCollection->addFieldToFilter('session_id', ['neq' => $this->sessionManager->getSessionId()]);
+
         /** @var \Magento\Customer\Model\Visitor $visitor */
         foreach ($visitorCollection->getItems() as $visitor) {
             $sessionId = $visitor->getSessionId();
diff --git a/dev/tests/integration/testsuite/Magento/Customer/Model/AccountManagementTest.php b/dev/tests/integration/testsuite/Magento/Customer/Model/AccountManagementTest.php
@@ -14,6 +14,7 @@
 use Magento\Framework\Exception\State\ExpiredException;
 use Magento\Framework\Reflection\DataObjectProcessor;
 use Magento\Framework\Session\SessionManagerInterface;
+use Magento\Framework\Stdlib\DateTime;
 use Magento\Framework\Url as UrlBuilder;
 use Magento\Store\Model\StoreManagerInterface;
 use Magento\TestFramework\Helper\Bootstrap;
@@ -113,6 +114,10 @@ protected function tearDown(): void
         $customerRegistry->remove(1);
         $addressRegistry->remove(1);
         $addressRegistry->remove(2);
+        /** @var \Magento\Customer\Model\ResourceModel\Visitor $resourceModel */
+        $resourceModel = $this->objectManager->get(\Magento\Customer\Model\ResourceModel\Visitor::class);
+        $resourceModel->getConnection()->delete($resourceModel->getMainTable());
+        parent::tearDown();
     }
 
     /**
@@ -158,19 +163,52 @@ public function testChangePassword()
     {
         /** @var SessionManagerInterface $session */
         $session = $this->objectManager->get(SessionManagerInterface::class);
-        $oldSessionId = $session->getSessionId();
-        $session->setTestData('test');
+        $time = time();
+
+        $session->start();
+        $guessSessionId = $session->getSessionId();
+        $this->createVisitorSession($guessSessionId);
+        $session->setTestData('guest_session_data');
+
+        // open new session
+        $activeSessionId = uniqid("active-$time-");
+        $this->startNewSession($activeSessionId);
+        $this->createVisitorSession($activeSessionId, 1);
+        $session->setTestData('customer_session_data_1');
+
+        // open new session
+        $currentSessionId = uniqid("current-$time-");
+        $this->startNewSession($currentSessionId);
+        $this->createVisitorSession($currentSessionId, 1);
+        $session->setTestData('customer_session_data_current');
+
+        // change password
         $this->accountManagement->changePassword('customer@example.com', 'password', 'new_Password123');
-
-        $this->assertTrue(
-            $oldSessionId !== $session->getSessionId(),
-            'Customer session id wasn\'t regenerated after change password'
+        $this->assertEquals(
+            $currentSessionId,
+            $session->getSessionId(),
+            'Current session was renewed'
         );
 
-        $session->destroy();
-        $session->setSessionId($oldSessionId);
+        // open customer active session
+        $this->startNewSession($activeSessionId);
+        $this->assertNull($session->getTestData(), 'Customer active session data wasn\'t cleaned up');
+
+        // open customer current session
+        $this->startNewSession($currentSessionId);
+        $this->assertEquals(
+            'customer_session_data_current',
+            $session->getTestData(),
+            'Customer current session data was cleaned up'
+        );
 
-        $this->assertNull($session->getTestData(), 'Customer session data wasn\'t cleaned');
+        // open guess session
+        $this->startNewSession($guessSessionId);
+        $this->assertEquals(
+            'guest_session_data',
+            $session->getTestData(),
+            'Guest session data was cleaned up'
+        );
 
         $this->accountManagement->authenticate('customer@example.com', 'new_Password123');
     }
@@ -392,11 +430,58 @@ public function testValidateResetPasswordLinkTokenAmbiguous()
      */
     public function testResetPassword()
     {
+        /** @var SessionManagerInterface $session */
+        $session = $this->objectManager->get(SessionManagerInterface::class);
+        $time = time();
+
+        $session->start();
+        $guessSessionId = $session->getSessionId();
+        $this->createVisitorSession($guessSessionId);
+        $session->setTestData('guest_session_data');
+
+        // open new session
+        $activeSessionId = uniqid("active-$time-");
+        $this->startNewSession($activeSessionId);
+        $this->createVisitorSession($activeSessionId, 1);
+        $session->setTestData('customer_session_data_1');
+
+        // open new session
+        $currentSessionId = uniqid("current-$time-");
+        $this->startNewSession($currentSessionId);
+        $this->createVisitorSession($currentSessionId, 1);
+        $session->setTestData('customer_session_data_current');
+
         $resetToken = 'lsdj579slkj5987slkj595lkj';
         $password = 'new_Password123';
 
         $this->setResetPasswordData($resetToken, 'Y-m-d H:i:s');
         $this->assertTrue($this->accountManagement->resetPassword('customer@example.com', $resetToken, $password));
+
+        $this->assertEquals(
+            $currentSessionId,
+            $session->getSessionId(),
+            'Current session was renewed'
+        );
+
+        // open customer active session
+        $this->startNewSession($activeSessionId);
+        $this->assertNull($session->getTestData(), 'Customer active session data wasn\'t cleaned up');
+
+        // open customer current session
+        $this->startNewSession($currentSessionId);
+        $this->assertEquals(
+            'customer_session_data_current',
+            $session->getTestData(),
+            'Customer current session data was cleaned up'
+        );
+
+        // open guess session
+        $this->startNewSession($guessSessionId);
+        $this->assertEquals(
+            'guest_session_data',
+            $session->getTestData(),
+            'Guest session data was cleaned up'
+        );
     }
 
     /**
@@ -727,4 +812,35 @@ protected function setResetPasswordData(
         $customerModel->setRpTokenCreatedAt(date($date));
         $customerModel->save();
     }
+
+    /**
+     * @param string $sessionId
+     */
+    private function startNewSession(string $sessionId): void
+    {
+        /** @var SessionManagerInterface $session */
+        $session = $this->objectManager->get(SessionManagerInterface::class);
+        // close session and cleanup session variable
+        $session->writeClose();
+        $session->clearStorage();
+        // open new session
+        $session->setSessionId($sessionId);
+        $session->start();
+    }
+
+    /**
+     * @param string $sessionId
+     * @param int|null $customerId
+     * @return Visitor
+     */
+    private function createVisitorSession(string $sessionId, ?int $customerId = null): Visitor
+    {
+        /** @var Visitor $visitor */
+        $visitor = Bootstrap::getObjectManager()->create(Visitor::class);
+        $visitor->setCustomerId($customerId);
+        $visitor->setSessionId($sessionId);
+        $visitor->setLastVisitAt((new \DateTime())->format(DateTime::DATETIME_PHP_FORMAT));
+        $visitor->save();
+        return $visitor;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`	`interface SessionCleanerInterface`
`14`	`14`	`{`
`15`	`15`	`/**`
`16`		`- * Destroy all active customer sessions related to given customer id, including current session.`
	`16`	`+ * Destroy all active customer sessions related to given customer except current session.`
`17`	`17`	`*`
`18`	`18`	`* @param int $customerId`
`19`	`19`	`* @return void`