SessionReminder: Don't disclose session id

Services/Authentication/classes/class.ilSessionReminderCheck.php

@@ -9,10 +9,10 @@
 class ilSessionReminderCheck
 {
     /**
-     * @param string $sessionId
+     * @param string $sessionIdHash
      * @return string
      */
-    public function getJsonResponse(string $sessionId) : string
+    public function getJsonResponse(string $sessionIdHash) : string
     {
         /**
          * @var $ilDB            ilDBInterface
@@ -25,7 +25,7 @@ public function getJsonResponse(string $sessionId) : string
         $lng = $DIC['lng'];
         $ilClientIniFile = $DIC['ilClientIniFile'];
 
-        $GLOBALS['DIC']->logger()->auth()->debug('Session reminder call for: ' . $sessionId);
+        $GLOBALS['DIC']->logger()->auth()->debug('Session reminder call for session id hash: ' . $sessionIdHash);
 
         // disable session writing and extension of expiration time
         ilSession::enableWebAccessWithoutSession(true);
@@ -34,11 +34,12 @@ public function getJsonResponse(string $sessionId) : string
 
         $res = $ilDB->queryF(
             '
-			SELECT expires, user_id, data
-			FROM usr_session
-			WHERE session_id = %s',
-            array('text'),
-            array($sessionId)
+                SELECT expires, user_id, data
+                FROM usr_session
+                WHERE MD5(session_id) = %s
+            ',
+            ['text'],
+            [$sessionIdHash]
         );
 
         $num = (int) $ilDB->numRows($res);

Services/Authentication/classes/class.ilSessionReminderGUI.php

@@ -47,7 +47,6 @@ public function populatePage() : void
         $url = './sessioncheck.php?client_id=' . CLIENT_ID . '&lang=' . $this->lng->getLangKey();
         $devMode = defined('DEVMODE') && DEVMODE ? 1 : 0;
         $clientId = defined('CLIENT_ID') ? CLIENT_ID : '';
-        $sessionName = session_name();
         $sessionId = session_id();
         $sessionHash = md5($sessionId);
 
@@ -56,9 +55,7 @@ public function populatePage() : void
     $("body").ilSessionReminder({
         url: "$url",
         client_id: "$clientId",
-        session_name: "$sessionName",
-        session_id: "$sessionId",
-        session_id_hash: "$sessionHash",
+        hash: "$sessionHash",
         frequency: 60,
         debug: $devMode
     });

Services/Authentication/js/session_reminder.js

@@ -71,7 +71,7 @@
 				dataType:'json',
 				type:    'POST',
 				data: {
-					session_id: properties.session_id
+					hash: properties.hash
 				},
 				success: function (response) {
 					if (response.message && typeof response.message == "string") {
@@ -130,13 +130,11 @@
 						properties: $.extend(
 							true, {},
 							{
-								url         :"",
-								client_id   :"",
-								session_name:"",
-								session_id  :"",
-								session_id_hash  :"",
-								frequency   :60,
-								debug       :0
+								url: "",
+								client_id: "",
+								hash: "",
+								frequency: 60,
+								debug: 0
 							},
 							params
 						)

sessioncheck.php

@@ -14,6 +14,6 @@
 include_once 'Services/Authentication/classes/class.ilSessionReminderCheck.php';
 $session_reminder_check = new ilSessionReminderCheck();
 echo $session_reminder_check->getJsonResponse(
-    ilUtil::stripSlashes($_POST['session_id'])
+    ilUtil::stripSlashes($_POST['hash'] ?? '')
 );
 exit();