GitLab

B7634. Fixes #7634. Session Timeout zu kurz. The bug was probably not a bug, but a too short timeout together with an misleading exception (logout and in - but reload the page also leads to valid page). The fix is 'take the system default (php.ini) and set that one'.

Fixes #6866: On logout destroy STORE_USER. Session.php: check if _COOKIE['fe_typo_user'] has changed - yes: clear STORE_USER. Store.php: Rearrange functions.

F4906 Php Session Timeout: can be specified globally in configuration and per form. Affects only logged in FE User.

Session.php: After setting the QFQ cookie lifetime AND calling setcookie() after session_start(), the QFQ session remains. Also, skipping Session::clearAll() protects against broken SIP after logout!

Bug4965: insert path to QFQ cookie/session, to make multiple installation possible. Only T3 index.php and QFQ API calls are supported to access the QFQ cookie/session.

Implemented for QFQ session. The T3 FE session still survive.

Session.php: introduced close(). This will unlock the current session. Take care on subsequent calls to reopen primary session again.

_paged renders the the current client parameter into a return URL. If the current client already contained a SIP, a check in Sip.php threw an exception, to prevent using the parameter 's' by the user.
 Sip.php: New: the exception is only thrown if the SIP is unknown.

CODING.md: update docs for situation 'new record already saved'.
FillStoreForm.php: In case of form load with r=0, the submitted form element names are does not contain the effective record id - workaround implemented.
Session.php: refactored clear(), create unsetItem().
Sip.php: new buildParamStringFromArray(), updateSipToSession().
Store.php: For r=0 SIPs always add a uniqe parameter.
AbstractBuildForm.php: modified message for subrecords on new record.
QuickFormQuery.php: create unique SIP on form load.

Sip.php, Constants.php: define constant

Session.php: save feUserGroup through init auf session.
Store.php: During API access restore feUserGroup from SESSION

SIP invalid: it seems that again more SIPs become invalid without known reason. Recoded Store, not to use Session Class - instead $_SESSION is used direct.
Session.php: exception commented
Store.php: recode accessing $_SESSION.

#2046: Dynamic Update mit {{feUser:T0}} Feld - fixed. Background: T3 environment not available during dynamicUpdate (called by AJAX through API). Restore feUser and feUserUid from Session. Not good, but better than nothing. Still missing: the rest of STORE_TYPO3
Session.php: extend checkFeUserUid() to save feUser as well as feUserUid. Fixed error that getSession() in phpDoc stated it returned class Store - correct is class Session.
Store.php: fillStoreTypo3() now respects that if there is no  T3 environment, restore at least feUser and feUserUid.

Session.php: If QFQ called by api, there is no T3 environment. Therefore there is no logged in FE User. We should keep the found SIP cache and take them (no flush, due to unknown logged in user).

Report.php, Store.php, QuickFormQuery.php: configuration option 'SESSION_NAME' removed and hard coded to 'qfq'.
Session.php, Sip.php: function checkFeUserUid() moved from Sip to Session. Will be called by using 'Session'. SIP's now stored one level deeper in $_SESSION['qfq'][...]. This makes it easier to destroy the SIP cachae in case of login/logout. Destroying the whole $_SESSION var is not a good idea.