Merge branch 'prep-release-3.1.0' into develop-ascraeus

phpBB/phpbb/session.php

@@ -577,26 +577,15 @@ class session
 			}
 		}
 
-		if ($user_id !== false && !sizeof($this->data))
-		{
-			$this->cookie_data['k'] = '';
-			$this->cookie_data['u'] = $user_id;
-
-			$sql = 'SELECT *
-				FROM ' . USERS_TABLE . '
-				WHERE user_id = ' . (int) $this->cookie_data['u'] . '
-					AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
-			$result = $db->sql_query($sql);
-			$this->data = $db->sql_fetchrow($result);
-			$db->sql_freeresult($result);
-			$bot = false;
-		}
-		else if (!$bot)
-		{
 		$provider_collection = $phpbb_container->get('auth.provider_collection');
 		$provider = $provider_collection->get_provider();
 		$this->data = $provider->autologin();
 
+		if ($user_id !== false && sizeof($this->data) && $this->data['user_id'] != $user_id)
+		{
+			$this->data = array();
+		}
+
 		if (sizeof($this->data))
 		{
 			$this->cookie_data['k'] = '';
@@ -614,11 +603,31 @@ class session
 					AND k.user_id = u.user_id
 					AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
 			$result = $db->sql_query($sql);
+			$user_data = $db->sql_fetchrow($result);
+
+			if ($user_id === false || (isset($user_data['user_id']) && $user_id == $user_data['user_id']))
+			{
+				$this->data = $user_data;
+				$bot = false;
+			}
+
+			$db->sql_freeresult($result);
+		}
+
+		if ($user_id !== false && !sizeof($this->data))
+		{
+			$this->cookie_data['k'] = '';
+			$this->cookie_data['u'] = $user_id;
+
+			$sql = 'SELECT *
+				FROM ' . USERS_TABLE . '
+				WHERE user_id = ' . (int) $this->cookie_data['u'] . '
+					AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
+			$result = $db->sql_query($sql);
 			$this->data = $db->sql_fetchrow($result);
 			$db->sql_freeresult($result);
 			$bot = false;
 		}
-		}
 
 		// Bot user, if they have a SID in the Request URI we need to get rid of it
 		// otherwise they'll index this page with the SID, duplicate content oh my!