‎08-19-2020 03:01 PM
‎08-19-2020 03:01 PM

Re: Session Fixation 2.3

For anyone experiencing this issue, the fix was to upgrade to 2.3.5 and use the following patch: 

 

diff --git a/vendor/magento/module-customer/Controller/Account/Logout.php b/vendor/magento/module-customer/Controller/Account/Logout.php
index 9344f482bd6..20b4fe30aa2 100644
--- a/vendor/magento/module-customer/Controller/Account/Logout.php
+++ b/vendor/magento/module-customer/Controller/Account/Logout.php
@@ -4,8 +4,11 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Customer\Controller\Account;
 
+use Magento\Customer\Api\SessionCleanerInterface;
 use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Framework\App\Action\HttpGetActionInterface;
 use Magento\Customer\Model\Session;
@@ -36,14 +39,23 @@ class Logout extends AbstractAccount implements HttpGetActionInterface, HttpPost
     private $cookieMetadataManager;
 
     /**
+     * @var SessionCleanerInterface
+     */
+    private $sessionCleaner;
+
+    /**
      * @param Context $context
      * @param Session $customerSession
+     * @param SessionCleanerInterface|null $sessionCleaner
      */
     public function __construct(
         Context $context,
-        Session $customerSession
+        Session $customerSession,
+        SessionCleanerInterface $sessionCleaner = null
     ) {
         $this->session = $customerSession;
+        $objectManager = ObjectManager::getInstance();
+        $this->sessionCleaner = $sessionCleaner ?? $objectManager->get(SessionCleanerInterface::class);
         parent::__construct($context);
     }
 
@@ -85,6 +97,7 @@ class Logout extends AbstractAccount implements HttpGetActionInterface, HttpPost
         $lastCustomerId = $this->session->getId();
         $this->session->logout()->setBeforeAuthUrl($this->_redirect->getRefererUrl())
             ->setLastCustomerId($lastCustomerId);
+        $this->sessionCleaner->clearFor((int)$lastCustomerId);
         if ($this->getCookieManager()->getCookie('mage-cache-sessid')) {
             $metadata = $this->getCookieMetadataFactory()->createCookieMetadata();
             $metadata->setPath('/');

I hope this helps anybody finding themselves here. I would imagine that more recent versions of Magento now include this patch. 

 

 

 

 

View solution in original post

0 Kudos
Reply