From ef2cc9a203bb3242f091655b2ef69042a5db1c5c Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Tue, 19 Jan 2021 12:52:12 +0530
Subject: [PATCH] Webservice extendSession throwing Authentication failed error

---
 include/Webservices/ExtendSession.php     | 26 ++++++++++++-----------
 libraries/HTTP_Session2/HTTP/Session2.php | 19 +++--------------
 webservice.php                            |  4 ++--
 3 files changed, 19 insertions(+), 30 deletions(-)

diff --git a/include/Webservices/ExtendSession.php b/include/Webservices/ExtendSession.php
index 4c44ef6e8..f755d5334 100644
--- a/include/Webservices/ExtendSession.php
+++ b/include/Webservices/ExtendSession.php
@@ -10,17 +10,19 @@
 
 	function vtws_extendSession(){
 		global $adb,$API_VERSION,$application_unique_key;
-		if(isset($_SESSION["authenticated_user_id"]) && $_SESSION["app_unique_key"] == $application_unique_key){
-			$userId = $_SESSION["authenticated_user_id"];
-			$sessionManager = new SessionManager();
-			$sessionManager->set("authenticatedUserId", $userId);
-			$crmObject = VtigerWebserviceObject::fromName($adb,"Users");
-			$userId = vtws_getId($crmObject->getEntityId(),$userId);
-			$vtigerVersion = vtws_getVtigerVersion();
-			$resp = array("sessionName"=>$sessionManager->getSessionId(),"userId"=>$userId,"version"=>$API_VERSION,"vtigerVersion"=>$vtigerVersion);
-			return $resp;
-		}else{
-			throw new WebServiceException(WebServiceErrorCode::$AUTHFAILURE,"Authencation Failed");
-		}
+		if($_SESSION['authenticatedUserId'] || (isset($_SESSION["authenticated_user_id"]) && $_SESSION["app_unique_key"] == $application_unique_key)){
+			$userId = ($_SESSION["authenticated_user_id"]) ? $_SESSION["authenticated_user_id"] : $_SESSION['authenticatedUserId'];
+			//unsetting as session manager will set it, if set then it is not extended by HTTP_Session::setExpire
+                        unset($_SESSION['__HTTP_Session_Expire_TS']);
+                        $sessionManager = new SessionManager();
+ 			$sessionManager->set("authenticatedUserId", $userId);
+ 			$crmObject = VtigerWebserviceObject::fromName($adb,"Users");
+ 			$userId = vtws_getId($crmObject->getEntityId(),$userId);
+ 			$vtigerVersion = vtws_getVtigerVersion();
+ 			$resp = array("sessionName"=>$sessionManager->getSessionId(),"userId"=>$userId,"version"=>$API_VERSION,"vtigerVersion"=>$vtigerVersion);
+ 			return $resp;
+ 		}else{
+ 			throw new WebServiceException(WebServiceErrorCode::$AUTHFAILURE,"Authencation Failed");
+ 		}
 	}
 ?>
\ No newline at end of file
diff --git a/libraries/HTTP_Session2/HTTP/Session2.php b/libraries/HTTP_Session2/HTTP/Session2.php
index 3f6774473..6353f3392 100644
--- a/libraries/HTTP_Session2/HTTP/Session2.php
+++ b/libraries/HTTP_Session2/HTTP/Session2.php
@@ -463,22 +463,9 @@ class HTTP_Session2
      */
     public static function useCookies($useCookies = null)
     {
-        $return = false;
-        if (ini_get('session.use_cookies') == '1') {
-            $return = true;
-        }
-        if ($useCookies !== null) {
-            if ($useCookies === true) {
-                $status = ini_set('session.use_cookies', 1);
-            } else {
-                $status = ini_set('session.use_cookies', 0);
-            }
-            if ($status === false) {
-                $msg  = "Could not set 'session.use_cookies'. Please check your ";
-                $msg .= 'permissions to override php.ini-settings. E.g. a possible ';
-                $msg .= 'php_admin_value setting or blocked ini_set() calls ';
-                throw new HTTP_Session2_Exception($msg, self::ERR_SYSTEM_PERM);
-            }
+        $return = ini_get('session.use_cookies') ? true : false;
+        if (isset($useCookies)) {
+            ini_set('session.use_cookies', $useCookies ? 1 : 0);
         }
         return $return;
     }
diff --git a/webservice.php b/webservice.php
index 98dfa1e02..bc47ea685 100644
--- a/webservice.php
+++ b/webservice.php
@@ -8,7 +8,7 @@
  * All Rights Reserved.
  ********************************************************************************/
 
-	require_once("config.php");
+require_once("config.php");
     /**
     * URL Verfication - Required to overcome Apache mis-configuration and leading to shared setup mode.
     */
@@ -90,7 +90,7 @@
 				// Workaround fix for PHP 5.3.x: $_REQUEST doesn't have PHPSESSID
 				if(isset($_REQUEST['PHPSESSID'])) {
 					$sessionId = vtws_getParameter($_REQUEST,"PHPSESSID");
-				} else {
+				} else if(isset($_COOKIE['PHPSESSID'])) {  //if not set its creating new session
 					// NOTE: Need to evaluate for possible security issues
 					$sessionId = vtws_getParameter($_COOKIE,'PHPSESSID');
 				}
-- 
GitLab