[ticket/17338] Do not update user_last_active to outdated session_time value

PHPBB-17338

phpBB/phpbb/session.php

@@ -441,7 +441,7 @@ class session
 						$this->check_ban_for_current_session($config);
 
 						// Update user last active time accordingly, but in a minute or so
-						if ((int) $this->data['session_time'] - (int) $this->data['user_last_active'] > 60)
+						if ($this->time_now - (int) $this->data['user_last_active'] > 60)
 						{
 							$this->update_last_active_time();
 						}
@@ -903,8 +903,7 @@ class session
 			}
 
 			$sql = 'UPDATE ' . USERS_TABLE . '
-				SET user_lastvisit = ' . (int) $this->data['session_time'] . ',
+				SET user_lastvisit = ' . (int) $this->data['session_time'] . '
-					user_last_active = ' . (int) $this->data['session_time'] . '
 				WHERE user_id = ' . (int) $this->data['user_id'];
 			$db->sql_query($sql);
 
@@ -988,7 +987,7 @@ class session
 					// For SQLite versions 3.8.3+ which support Common Table Expressions (CTE)
 					$sql = "WITH s3 (session_page, session_user_id, session_time) AS ($sql_select)
 						UPDATE " . USERS_TABLE . '
-						SET (user_lastpage, user_lastvisit, user_last_active) = (SELECT session_page, session_time, session_time FROM s3 WHERE session_user_id = user_id)
+						SET (user_lastpage, user_lastvisit) = (SELECT session_page, session_time FROM s3 WHERE session_user_id = user_id)
 						WHERE EXISTS (SELECT session_user_id FROM s3 WHERE session_user_id = user_id)';
 					$db->sql_query($sql);
 
@@ -1001,9 +1000,7 @@ class session
 				while ($row = $db->sql_fetchrow($result))
 				{
 					$sql = 'UPDATE ' . USERS_TABLE . '
-						SET user_lastvisit = ' . (int) $row['recent_time'] . ',
+						SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
-							user_last_active = ' .  (int) $row['recent_time'] . ",
-							user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
 						WHERE user_id = " . (int) $row['session_user_id'];
 					$db->sql_query($sql);
 				}
@@ -1013,14 +1010,14 @@ class session
 			case 'mysqli':
 				$sql = 'UPDATE ' . USERS_TABLE . " u,
 					($sql_select) s3
-					SET u.user_lastvisit = s3.recent_time, u.user_last_active = s3.recent_time, u.user_lastpage = s3.session_page
+					SET u.user_lastvisit = s3.recent_time, u.user_lastpage = s3.session_page
 					WHERE u.user_id = s3.session_user_id";
 				$db->sql_query($sql);
 			break;
 
 			default:
 				$sql = 'UPDATE ' . USERS_TABLE . "
-					SET user_lastvisit = s3.recent_time, user_last_active = s3.recent_time, user_lastpage = s3.session_page
+					SET user_lastvisit = s3.recent_time, user_lastpage = s3.session_page
 					FROM ($sql_select) s3
 					WHERE user_id = s3.session_user_id";
 				$db->sql_query($sql);
@@ -1653,9 +1650,7 @@ class session
 		if ($row)
 		{
 			$sql = 'UPDATE ' . USERS_TABLE . '
-				SET user_lastvisit = ' . (int) $row['session_time'] . ',
+				SET user_lastvisit = ' . (int) $row['session_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
-					user_last_active = ' . (int) $row['session_time'] . ",
-					user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
 				WHERE user_id = " . (int) $user_id;
 			$db->sql_query($sql);
 		}
@@ -1817,7 +1812,7 @@ class session
 		{
 			$sql = 'UPDATE ' . USERS_TABLE . '
 				SET user_lastvisit = ' . (int) $this->data['session_time'] . ',
-					user_last_active = ' . (int) $this->data['session_time'] . '
+					user_last_active = ' . $this->time_now . '
 				WHERE user_id = ' . (int) $this->data['user_id'];
 			$db->sql_query($sql);
 		}
@@ -1832,10 +1827,10 @@ class session
 	{
 		global $db;
 
-		if (isset($this->data['session_time'], $this->data['user_id']))
+		if (isset($this->time_now, $this->data['user_id']))
 		{
 			$sql = 'UPDATE ' . USERS_TABLE . '
-				SET user_last_active = ' . (int) $this->data['session_time'] . '
+				SET user_last_active = ' . $this->time_now . '
 				WHERE user_id = ' . (int) $this->data['user_id'];
 			$db->sql_query($sql);
 		}

tests/session/fixtures/sessions_garbage.xml

@@ -7,7 +7,6 @@
 		<column>user_sig</column>
 		<column>user_lastpage</column>
 		<column>user_lastvisit</column>
-		<column>user_last_active</column>
 		<row>
 			<value>4</value>
 			<value>bar</value>
@@ -15,7 +14,6 @@
 			<value></value>
 			<value>oldpage_user_bar.php</value>
 			<value>1400000000</value>
-			<value>1300000999</value>
 		</row>
 		<row>
 			<value>5</value>
@@ -24,7 +22,6 @@
 			<value></value>
 			<value>oldpage_user_foo.php</value>
 			<value>1400000000</value>
-			<value>1300000998</value>
 		</row>
 	</table>
 	<table name="phpbb_sessions">

tests/session/garbage_collection_test.php

@@ -65,13 +65,11 @@ class phpbb_session_garbage_collection_test extends phpbb_session_test_case
 				[
 					'username_clean' => 'bar',
 					'user_lastvisit' => 1400000000,
-					'user_last_active' => 1300000999,
 					'user_lastpage' => 'oldpage_user_bar.php',
 				],
 				[
 					'username_clean' => 'foo',
 					'user_lastvisit' => 1400000000,
-					'user_last_active' => 1300000998,
 					'user_lastpage' => 'oldpage_user_foo.php',
 				],
 			],
@@ -91,13 +89,11 @@ class phpbb_session_garbage_collection_test extends phpbb_session_test_case
 				[
 					'username_clean' => 'bar',
 					'user_lastvisit' => '1500000000',
-					'user_last_active' => '1500000000',
 					'user_lastpage' => 'newpage_user_bar.php',
 				],
 				[
 					'username_clean' => 'foo',
 					'user_lastvisit' => '1500000000',
-					'user_last_active' => '1500000000',
 					'user_lastpage' => 'newpage_user_foo.php',
 				],
 			],

tests/test_framework/phpbb_session_test_case.php

@@ -50,7 +50,7 @@ abstract class phpbb_session_test_case extends phpbb_database_test_case
 
 	protected function check_user_session_data($expected_session_data, $message)
 	{
-		$sql= 'SELECT username_clean, user_lastvisit, user_last_active, user_lastpage
+		$sql= 'SELECT username_clean, user_lastvisit, user_lastpage
 			FROM ' . USERS_TABLE . '
 			ORDER BY user_id';