Open MarkoNV opened 2 years ago
Yes, it will be great to get a pull request. Thanks.
I'm sorry, I stuck with message:
[Exception] Cannot apply patch Fix PHP 7 and 8 compatibility (https://yiisoft.github.io /phpunit-patches/phpunit_mock_objects.patch)!
Could be because my specific multiphp configuration. I could try on linux machine next week.
Do you have any suggestion about method name (if other name will be more in spirit od yii2)?
Should I keep additional checks?
Do you have any suggestion about method name (if other name will be more in spirit od yii2)?
No.
Should I keep additional checks?
Yes.
After implementing AuthKey check on every request, UPGRADE guide says:
First issue is documentation -
yii\web\User::logout()
will destroy session, not recreate it, so it should be removed from documentation; or updated to say:Main issue is destroying login cookie when calling
yii\web\User::switchIdentity()
oryii\web\User::login()
. If you call ti without second parameter ($duration) cookie is destroyed. Butyii\web\User
doesn't have publicly available method to check if there is existing cookie nor to fetch duration from it.What steps will reproduce the problem?
1.) Setup project to change
authKey
and callyii\web\User::switchIdentity($userModel)
on password change 2.) Login with remember me option 3.) Close browser and reopen it (alternate: delete session cookie and refresh). Are you still logged in? 4.) Change password 5.) Close browser and reopen it (alternate: delete session cookie and refresh). Are you still logged in?What is the expected result?
Step 3: YES Step 5: YES
What do you get instead?
Step 3: YES Step 5: NO
Additional info
This is detected in 2.0.46, but it's possible that it even predates 2.0.40 because logic is extended to check
authKey
at any request in 2.0.40 and instruction is added in UPGRADE guide to avoid logout at session level. But check was implemented earlier for cookie and there was no way of renewing cookie loginauthKey
even before.Proposed solution
Adding dedicated method which extracts current cookie and renews it if necessary is simplest and safest solution:
About optional checks: If we don't want to use new method as another login alternative, we can prevent switching identity if it isn't same user or if user isn't logged in (e.g. changing password via password reset). If you think it should be part of application logic, not framework, feel free to skip it.
If requested, I could make pull request, but I don't regularly use github, so it would take some time.