Merge "Session is not invalidating after password change (Bug #1363873)"

35510252 · Robert Lyon · Gerrit Code Review · 5916ccc3 · f103c650 · 35510252
Commit 35510252 authored Nov 26, 2014 by Robert Lyon Committed by Gerrit Code Review Nov 26, 2014
--- a/htdocs/auth/lib.php
+++ b/htdocs/auth/lib.php
@@ -414,7 +414,13 @@ function auth_setup () {
    // Check the time that the session is set to log out. If the user does
    // not have a session, this time will be 0.
    $sessionlogouttime = $USER->get('logout_time');
-    if ($sessionlogouttime && isset($_GET['logout'])) {
+
+    // Need to doublecheck that the User's sessionid still has a match the usr_session table
+    // It can disappear if the current user has hacked the real user's account and the real user has
+    // reset the password clearing the session from usr_session.
+    $sessionexists = get_record('usr_session', 'usr', $USER->id, 'session', $USER->get('sessionid'));
+    $parentuser = $USER->get('parentuser');
+    if (($sessionlogouttime && isset($_GET['logout'])) || ($sessionexists === false && $USER->get('sessionid') != '' && empty($parentuser))) {
        // Call the authinstance' logout hook
        $authinstance = $SESSION->get('authinstance');
        if ($authinstance) {

--- a/htdocs/forgotpass.php
+++ b/htdocs/forgotpass.php
@@ -223,6 +223,10 @@ function forgotpasschange_submit(Pieform $form, $values) {
        ensure_user_account_is_active($user);

        $USER->reanimate($user->id, $user->authinstance);
+
+        // Destroy other sessions of the user
+        remove_user_sessions($USER->get('id'));
+
        $SESSION->add_ok_msg(get_string('passwordchangedok'));
        redirect();
        exit;