API Use new RememberLoginHash::onAfterRenewSession extension point

This extension point is triggered at the same step as the now-removed onAfterRenewToken extension point, which was replaced to reflect that the token is no longer rotated when a session renewal is triggered.
silverstripe · Aug 30, 2024 · 960ebac · 960ebac
1 parent 050c979
commit 960ebac
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/src/Extensions/RememberLoginHashExtension.php b/src/Extensions/RememberLoginHashExtension.php
@@ -8,6 +8,7 @@
 use SilverStripe\Security\RememberLoginHash;
 use SilverStripe\SessionManager\Models\LoginSession;
 use SilverStripe\SessionManager\Security\LogInAuthenticationHandler;
+use SilverStripe\SessionManager\Middleware\LoginSessionMiddleware;
 
 /**
  * @method LoginSession LoginSession()
@@ -33,9 +34,15 @@ protected function onAfterGenerateToken(): void
     }
 
     /**
+     * Overwrites the core session variable with the LoginSession record ID
+     * during session renewal when the user selects 'remember me' (ALC).
+     * This works in tandem with LoginSessionMiddleware, and avoids the
+     * overhead of an additional DB query.
+     *
+     * @see LoginSessionMiddleware
      * @return void
      */
-    protected function onAfterRenewToken(): void
+    protected function onAfterRenewSession(): void
     {
         $loginHandler = Injector::inst()->get(LogInAuthenticationHandler::class);
         $request = Injector::inst()->get(HTTPRequest::class);

diff --git a/src/Middleware/LoginSessionMiddleware.php b/src/Middleware/LoginSessionMiddleware.php
@@ -31,6 +31,8 @@ public function process(HTTPRequest $request, callable $delegate)
         }
 
         try {
+            // Extract the session identifier (when this module is installed, the session identifier is set to the
+            // LoginSession ID rather than the RememberLoginHash ID, to avoid an extra query to get the related model.)
             $loginSessionID = $request->getSession()->get($loginHandler->getSessionVariable());
             $loginSession = LoginSession::get_by_id($loginSessionID);
 

diff --git a/src/Security/LogInAuthenticationHandler.php b/src/Security/LogInAuthenticationHandler.php
@@ -100,6 +100,8 @@ public function logIn(Member $member, $persistent = false, HTTPRequest $request
             $rememberLoginHash->write();
         }
 
+        // Overwrite the session identifier, storing the LoginSession ID instead of the RememberLoginHash ID.
+        // This is read by LoginSessionMiddleware, and avoids an extra query to fetch the related model.
         if ($request) {
             $request->getSession()->set($this->getSessionVariable(), $loginSession->ID);
         }