From c5758e7ac4875065a8cbe4022e7d08a853904431 Mon Sep 17 00:00:00 2001
From: Matt Friedman <maf675@gmail.com>
Date: Thu, 11 Sep 2025 11:29:41 -0700
Subject: [PATCH] [ticket/17451] Prevent web push service worker from updating
 user activity

PHPBB-17451
---
 phpBB/phpbb/session.php | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index 5a1c2e872f..579040d703 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -1715,7 +1715,7 @@ class session
 	{
 		global $db;
 
-		if (isset($this->data['session_time'], $this->data['user_id']))
+		if (isset($this->data['session_time'], $this->data['user_id']) && !$this->is_push_notification_request())
 		{
 			$sql = 'UPDATE ' . USERS_TABLE . '
 				SET user_lastvisit = ' . (int) $this->data['session_time'] . ',
@@ -1734,7 +1734,7 @@ class session
 	{
 		global $db;
 
-		if (isset($this->time_now, $this->data['user_id']))
+		if (isset($this->time_now, $this->data['user_id']) && !$this->is_push_notification_request())
 		{
 			$sql = 'UPDATE ' . USERS_TABLE . '
 				SET user_last_active = ' . $this->time_now . '
@@ -1742,4 +1742,16 @@ class session
 			$db->sql_query($sql);
 		}
 	}
+
+	/**
+	 * Determine if the request is an Ajax request from the web push service worker
+	 *
+	 * @return bool True if the request is an Ajax request and the page URL contains '/push/notification', otherwise false
+	 */
+	protected function is_push_notification_request(): bool
+	{
+		global $request;
+
+		return $request->is_ajax() && str_contains($this->page['page'], '/push/notification');
+	}
 }