Fix password creation validation - validation does not fail after pas…

…sword is changed.
OpenMage · Apr 4, 2023 · 54f7f20 · 54f7f20
1 parent 4acf457
commit 54f7f20
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php b/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
@@ -28,7 +28,7 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object
     public const VALIDATOR_HTTP_X_FORVARDED_FOR_KEY    = 'http_x_forwarded_for';
     public const VALIDATOR_HTTP_VIA_KEY                = 'http_via';
     public const VALIDATOR_REMOTE_ADDR_KEY             = 'remote_addr';
-    public const VALIDATOR_SESSION_EXPIRE_TIMESTAMP    = 'session_expire_timestamp';
+    public const VALIDATOR_SESSION_EXPIRE_TIMESTAMP    = 'session_expire_timestamp'; // Deprecated
     public const VALIDATOR_SESSION_RENEW_TIMESTAMP     = 'session_renew_timestamp';
     public const VALIDATOR_SESSION_LIFETIME            = 'session_lifetime';
     public const VALIDATOR_PASSWORD_CREATE_TIMESTAMP   = 'password_create_timestamp';
@@ -458,14 +458,20 @@ public function validate()
         if (!isset($_SESSION[self::VALIDATOR_KEY])) {
             $_SESSION[self::VALIDATOR_KEY] = $this->getValidatorData();
         } else {
+            // Load password timestamp data in case it was not loaded initially (customer was not logged in on first request)
+            if (isset($this->_data['visitor_data']['customer_id']) && ! isset($_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])) {
+                $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] =
+                    Mage::helper('customer')->getPasswordTimestamp($this->_data['visitor_data']['customer_id']);
+            }
+
             if (!self::$isValidated && ! $this->_validate()) {
                 $this->getCookie()->delete(session_name());
                 // throw core session exception
                 throw new Mage_Core_Model_Session_Exception('');
             }
 
             // Refresh expire timestamp
-            if ($this->useValidateSessionExpire()) {
+            if (!self::$isValidated && $this->useValidateSessionExpire()) {
                 $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_RENEW_TIMESTAMP] = time();
                 $_SESSION[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_LIFETIME] = $this->getCookie()->getLifetime();
             }
@@ -521,6 +527,8 @@ protected function _validate()
         ) {
             return false;
         }
+
+        // Validate password was not created after session expiration
         if ($this->useValidateSessionPasswordTimestamp()
             && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
             && isset($sessionData[self::VALIDATOR_SESSION_RENEW_TIMESTAMP])
@@ -530,6 +538,16 @@ protected function _validate()
             return false;
         }
 
+        // Validate password was not changed since previous request
+        if ($this->useValidateSessionPasswordTimestamp()
+            && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
+            && isset($sessionData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
+            && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
+            != $sessionData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
+        ) {
+            return false;
+        }
+
         return true;
     }
 

diff --git a/app/code/core/Mage/Customer/controllers/AccountController.php b/app/code/core/Mage/Customer/controllers/AccountController.php
@@ -1048,6 +1048,9 @@ public function editPostAction()
                 }
                 $this->_redirect('*/*/edit');
                 return $this;
+            } else {
+                // Unset validator data so that user is not logged out after password change
+                unset($_SESSION[Mage_Core_Model_Session_Abstract_Varien::VALIDATOR_KEY][Mage_Core_Model_Session_Abstract_Varien::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]);
             }
 
             try {