StayConnected + Singlesession does not display deleted sessions
Affected version
Version: 2.16.2
Summary
-
Configure the following:
- Sessions / Multiple sessions / One session per user
- Sessions / Multiple sessions / Display deleted sessions
- Plugins / Stay connected / Activation
-
Login without "stay connected" in a private tab
-
In a non-private tab, login with "stay connected"
-
No session summary is shown, despite sessions being removed
Possible fixes
This issue is caused by the fact that endSession hooks are run twice
- before displaying the fingerprint page (duplicate session is removed then)
- after submitting the fingerprint page (no more duplicate sessions at this point)
I have tried moving the singleSession plugin later in the plugin list, but this breaks some unit tests.
Additionally, the fact that StayConnected::storeBrowser does not call importHandlerData may cause issues with other plugins
I also tried storing $req->info in StayConnected and restoring it after storeBrower: it works but if the "otherSessions" option is set, it causes duplicate display.
It looks like there is not satisfying way to handle this in the current state of the authentication code, because there is no way to resume "endAuth" at a particular step.