magento
diff --git a/‎app/code/Magento/Customer/Model/Session.php
Lines changed: 6 additions & 9 deletions b/‎app/code/Magento/Customer/Model/Session.php
Lines changed: 6 additions & 9 deletions
diff --git a/‎app/code/Magento/Customer/Test/Unit/Model/SessionTest.php
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/Customer/Test/Unit/Model/SessionTest.php
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/Store/Controller/Store/Redirect.php
Lines changed: 7 additions & 29 deletions b/‎app/code/Magento/Store/Controller/Store/Redirect.php
Lines changed: 7 additions & 29 deletions
diff --git a/‎app/code/Magento/Store/Model/Store.php
Lines changed: 1 addition & 7 deletions b/‎app/code/Magento/Store/Model/Store.php
Lines changed: 1 addition & 7 deletions
diff --git a/‎dev/tests/integration/testsuite/Magento/Customer/Model/SessionTest.php
Lines changed: 31 additions & 0 deletions b/‎dev/tests/integration/testsuite/Magento/Customer/Model/SessionTest.php
Lines changed: 31 additions & 0 deletions
diff --git a/‎dev/tests/integration/testsuite/Magento/Framework/Session/SessionManagerTest.php
Lines changed: 10 additions & 12 deletions b/‎dev/tests/integration/testsuite/Magento/Framework/Session/SessionManagerTest.php
Lines changed: 10 additions & 12 deletions
diff --git a/‎dev/tests/integration/testsuite/Magento/Framework/UrlTest.php
Lines changed: 3 additions & 4 deletions b/‎dev/tests/integration/testsuite/Magento/Framework/UrlTest.php
Lines changed: 3 additions & 4 deletions
@@ -19,6 +19,7 @@
  * @method string getNoReferer()
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
+ * @SuppressWarnings(PHPMD.TooManyFields)
  * @since 100.0.2
  */
 class Session extends \Magento\Framework\Session\SessionManager
@@ -108,6 +109,11 @@ class Session extends \Magento\Framework\Session\SessionManager
      */
     protected $response;
 
+    /**
+     * @var AccountConfirmation
+     */
+    private $accountConfirmation;
+
     /**
      * Session constructor.
      *
@@ -511,13 +517,6 @@ public function authenticate($loginUrl = null)
             $this->response->setRedirect($loginUrl);
         } else {
             $arguments = $this->_customerUrl->getLoginUrlParams();
-            if ($this->_createUrl()->getUseSession()) {
-                $arguments += [
-                    '_query' => [
-                        $this->sidResolver->getSessionIdQueryParam($this->_session) => $this->_session->getSessionId(),
-                    ]
-                ];
-            }
             $this->response->setRedirect(
                 $this->_createUrl()->getUrl(\Magento\Customer\Model\Url::ROUTE_ACCOUNT_LOGIN, $arguments)
             );
@@ -535,8 +534,6 @@ public function authenticate($loginUrl = null)
      */
     protected function _setAuthUrl($key, $url)
     {
-        $url = $this->_coreUrl->removeRequestParam($url, $this->sidResolver->getSessionIdQueryParam($this));
-        // Add correct session ID to URL if needed
         $url = $this->_createUrl()->getRebuiltUrl($url);
         return $this->storage->setData($key, $url);
     }
 
@@ -147,10 +147,10 @@ public function testAuthenticate()
         $urlMock->expects($this->once())
             ->method('getRebuiltUrl')
             ->willReturn('');
-        $this->urlFactoryMock->expects($this->exactly(4))
+        $this->urlFactoryMock->expects($this->exactly(3))
             ->method('create')
             ->willReturn($urlMock);
-        $urlMock->expects($this->once())
+        $urlMock->expects($this->never())
             ->method('getUseSession')
             ->willReturn(false);
 
 
@@ -11,19 +11,15 @@
 use Magento\Framework\App\Action\Context;
 use Magento\Framework\App\Action\HttpGetActionInterface;
 use Magento\Framework\App\Action\HttpPostActionInterface;
-use Magento\Framework\App\ResponseInterface;
-use Magento\Framework\Controller\ResultInterface;
 use Magento\Framework\Exception\NoSuchEntityException;
-use Magento\Framework\Session\Generic as Session;
-use Magento\Framework\Session\SidResolverInterface;
 use Magento\Store\Api\StoreRepositoryInterface;
 use Magento\Store\Api\StoreResolverInterface;
 use Magento\Store\Model\Store;
 use Magento\Store\Model\StoreResolver;
 use Magento\Store\Model\StoreSwitcher\HashGenerator;
 
 /**
- * Builds correct url to target store and performs redirect.
+ * Builds correct url to target store (group) and performs redirect.
  */
 class Redirect extends Action implements HttpGetActionInterface, HttpPostActionInterface
 {
@@ -37,16 +33,6 @@ class Redirect extends Action implements HttpGetActionInterface, HttpPostActionI
      */
     private $storeResolver;
 
-    /**
-     * @var SidResolverInterface
-     */
-    private $sidResolver;
-
-    /**
-     * @var Session
-     */
-    private $session;
-
     /**
      * @var HashGenerator
      */
@@ -56,30 +42,28 @@ class Redirect extends Action implements HttpGetActionInterface, HttpPostActionI
      * @param Context $context
      * @param StoreRepositoryInterface $storeRepository
      * @param StoreResolverInterface $storeResolver
-     * @param Session $session
-     * @param SidResolverInterface $sidResolver
+     * @param \Magento\Framework\Session\Generic $session
+     * @param \Magento\Framework\Session\SidResolverInterface $sidResolver
      * @param HashGenerator $hashGenerator
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function __construct(
         Context $context,
         StoreRepositoryInterface $storeRepository,
         StoreResolverInterface $storeResolver,
-        Session $session,
-        SidResolverInterface $sidResolver,
+        \Magento\Framework\Session\Generic $session,
+        \Magento\Framework\Session\SidResolverInterface $sidResolver,
         HashGenerator $hashGenerator
     ) {
         parent::__construct($context);
         $this->storeRepository = $storeRepository;
         $this->storeResolver = $storeResolver;
-        $this->session = $session;
-        $this->sidResolver = $sidResolver;
         $this->hashGenerator = $hashGenerator;
     }
 
     /**
-     * Performs store redirect
+     * @inheritDoc
      *
-     * @return ResponseInterface|ResultInterface
      * @throws NoSuchEntityException
      */
     public function execute()
@@ -113,12 +97,6 @@ public function execute()
                 \Magento\Framework\App\ActionInterface::PARAM_NAME_URL_ENCODED => $encodedUrl,
             ];
 
-            if ($this->sidResolver->getUseSessionInUrl()) {
-                // allow customers to stay logged in during store switching
-                $sidName = $this->sidResolver->getSessionIdQueryParam($this->session);
-                $query[$sidName] = $this->session->getSessionId();
-            }
-
             $customerHash = $this->hashGenerator->generateHash($fromStore);
             $query = array_merge($query, $customerHash);
 
 
@@ -278,6 +278,7 @@ class Store extends AbstractExtensibleModel implements
 
     /**
      * @var \Magento\Framework\Session\SidResolverInterface
+     * @deprecated Not used anymore.
      */
     protected $_sidResolver;
 
@@ -1199,7 +1200,6 @@ public function isDefault()
      */
     public function getCurrentUrl($fromStore = true)
     {
-        $sidQueryParam = $this->_sidResolver->getSessionIdQueryParam($this->_getSession());
         $requestString = $this->_url->escape(ltrim($this->_request->getRequestString(), '/'));
 
         $storeUrl = $this->getUrl('', ['_secure' => $this->_storeManager->getStore()->isCurrentlySecure()]);
@@ -1218,12 +1218,6 @@ public function getCurrentUrl($fromStore = true)
         }
 
         $currQuery = $this->_request->getQueryValue();
-        if (isset($currQuery[$sidQueryParam])
-            && !empty($currQuery[$sidQueryParam])
-            && $this->_getSession()->getSessionIdForHost($storeUrl) != $currQuery[$sidQueryParam]
-        ) {
-            unset($currQuery[$sidQueryParam]);
-        }
 
         foreach ($currQuery as $key => $value) {
             $storeParsedQuery[$key] = $value;
 
@@ -6,9 +6,12 @@
 namespace Magento\Customer\Model;
 
 use Magento\Framework\App\PageCache\FormKey;
+use Magento\Framework\App\ResponseInterface;
+use Magento\Framework\Session\SidResolverInterface;
 use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
 use Magento\Framework\Stdlib\Cookie\PublicCookieMetadata;
 use Magento\TestFramework\Helper\Bootstrap;
+use Magento\Framework\App\Response\Http as HttpResponse;
 
 /**
  * @magentoDataFixture Magento/Customer/_files/customer.php
@@ -29,6 +32,11 @@ class SessionTest extends \PHPUnit\Framework\TestCase
     /** @var PublicCookieMetadata $cookieMetadata */
     protected $cookieMetadata;
 
+    /**
+     * @var HttpResponse
+     */
+    private $response;
+
     protected function setUp()
     {
         $this->_customerSession = Bootstrap::getObjectManager()->create(
@@ -48,6 +56,7 @@ protected function setUp()
             'form_key',
             $this->cookieMetadata
         );
+        $this->response = Bootstrap::getObjectManager()->get(ResponseInterface::class);
     }
 
     public function testLoginById()
@@ -100,4 +109,26 @@ public function testLogoutActionFlushesFormKey()
 
         $this->assertNotEquals($beforeKey, $afterKey);
     }
+
+    /**
+     * Check that SID is not used in redirects.
+     *
+     * @return void
+     * @magentoConfigFixture current_store web/session/use_frontend_sid 1
+     */
+    public function testNoSid(): void
+    {
+        $this->_customerSession->authenticate();
+        $location = (string)$this->response->getHeader('Location');
+        $this->assertNotEmpty($location);
+        $this->assertNotContains(SidResolverInterface::SESSION_ID_QUERY_PARAM .'=', $location);
+        $beforeAuthUrl = $this->_customerSession->getData('before_auth_url');
+        $this->assertNotEmpty($beforeAuthUrl);
+        $this->assertNotContains(SidResolverInterface::SESSION_ID_QUERY_PARAM .'=', $beforeAuthUrl);
+
+        $this->_customerSession->authenticate('/customer/account');
+        $location = (string)$this->response->getHeader('Location');
+        $this->assertNotEmpty($location);
+        $this->assertNotContains(SidResolverInterface::SESSION_ID_QUERY_PARAM .'=', $location);
+    }
 }
@@ -52,7 +52,7 @@ function ini_set($varName, $newValue)
             SessionManagerTest::$isIniSetInvoked[$varName] = $newValue;
             return true;
         }
-        return call_user_func_array('\ini_set', func_get_args());
+        return call_user_func_array('\ini_set', [$varName, $newValue]);
     }
 
     /**
@@ -213,15 +213,16 @@ public function testDestroy()
         public function testSetSessionId()
         {
             $this->initializeModel();
-            $sessionId = $this->model->getSessionId();
-            $this->appState->expects($this->atLeastOnce())
+            $this->assertNotEmpty($this->model->getSessionId());
+            $this->appState->expects($this->any())
                 ->method('getAreaCode')
                 ->willReturn(\Magento\Framework\App\Area::AREA_FRONTEND);
-            $this->model->setSessionId($this->sidResolver->getSid($this->model));
-            $this->assertEquals($sessionId, $this->model->getSessionId());
 
             $this->model->setSessionId('test');
             $this->assertEquals('test', $this->model->getSessionId());
+            /* Use not valid identifier */
+            $this->model->setSessionId('test_id');
+            $this->assertEquals('test', $this->model->getSessionId());
         }
 
         /**
@@ -230,17 +231,14 @@ public function testSetSessionId()
         public function testSetSessionIdFromParam()
         {
             $this->initializeModel();
-            $this->appState->expects($this->atLeastOnce())
+            $this->appState->expects($this->any())
                 ->method('getAreaCode')
                 ->willReturn(\Magento\Framework\App\Area::AREA_FRONTEND);
+            $currentId = $this->model->getSessionId();
             $this->assertNotEquals('test_id', $this->model->getSessionId());
-            $this->request->getQuery()->set($this->sidResolver->getSessionIdQueryParam($this->model), 'test-id');
-            $this->model->setSessionId($this->sidResolver->getSid($this->model));
-            $this->assertEquals('test-id', $this->model->getSessionId());
-            /* Use not valid identifier */
-            $this->request->getQuery()->set($this->sidResolver->getSessionIdQueryParam($this->model), 'test_id');
+            $this->request->getQuery()->set(SidResolverInterface::SESSION_ID_QUERY_PARAM, 'test-id');
             $this->model->setSessionId($this->sidResolver->getSid($this->model));
-            $this->assertEquals('test-id', $this->model->getSessionId());
+            $this->assertEquals($currentId, $this->model->getSessionId());
         }
 
         public function testGetSessionIdForHost()
 
@@ -477,6 +477,8 @@ public function testGetDirectUrl()
     }
 
     /**
+     * Check that SID is removed from URL.
+     *
      * Note: isolation flushes the URL memory cache
      * @magentoAppIsolation enabled
      *
@@ -485,11 +487,8 @@ public function testGetDirectUrl()
      */
     public function testSessionUrlVar()
     {
-        $sessionId = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
-            \Magento\Framework\Session\Generic::class
-        )->getSessionId();
         $sessionUrl = $this->model->sessionUrlVar('<a href="http://example.com/?___SID=U">www.example.com</a>');
-        $this->assertEquals('<a href="http://example.com/?SID=' . $sessionId . '">www.example.com</a>', $sessionUrl);
+        $this->assertEquals('<a href="http://example.com/">www.example.com</a>', $sessionUrl);
     }
 
     public function testUseSessionIdForUrl()
Original file line number	Diff line number	Diff line change
`@@ -477,6 +477,8 @@ public function testGetDirectUrl()`
`477`	`477`	`}`
`478`	`478`
`479`	`479`	`/**`
	`480`	`+ * Check that SID is removed from URL.`
	`481`	`+ *`
`480`	`482`	`* Note: isolation flushes the URL memory cache`
`481`	`483`	`* @magentoAppIsolation enabled`
`482`	`484`	`*`
`@@ -485,11 +487,8 @@ public function testGetDirectUrl()`
`485`	`487`	`*/`
`486`	`488`	`public function testSessionUrlVar()`
`487`	`489`	`{`
`488`		`- $sessionId = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(`
`489`		`- \Magento\Framework\Session\Generic::class`
`490`		`- )->getSessionId();`
`491`	`490`	`$sessionUrl = $this->model->sessionUrlVar('<a href="http://example.com/?___SID=U">www.example.com</a>');`
`492`		`- $this->assertEquals('<a href="http://example.com/?SID=' . $sessionId . '">www.example.com</a>', $sessionUrl);`
	`491`	`+ $this->assertEquals('<a href="http://example.com/">www.example.com</a>', $sessionUrl);`
`493`	`492`	`}`
`494`	`493`
`495`	`494`	`public function testUseSessionIdForUrl()`