Automattic · miguelpeixe · Aug 12, 2024 · Aug 9, 2024
@@ -53,13 +53,6 @@ final class Reader_Activation {
 	 */
 	const SSO_REGISTRATION_METHODS = [ 'google' ];
 
-	/**
-	 * Whether the session is authenticating a newly registered reader
-	 *
-	 * @var bool
-	 */
-	private static $is_new_reader_auth = false;
-
 	/**
 	 * Initialize hooks.
 	 */
@@ -750,6 +743,20 @@ public static function set_reader_verified( $user_or_user_id ) {
 
 		WooCommerce_Connection::add_wc_notice( __( 'Thank you for verifying your account!', 'newspack-plugin' ), 'success' );
 
+		/**
+		 * Upon verification we want to destroy existing sessions to prevent a bad
+		 * actor having originated the account creation from accessing the, now
+		 * verified, account.
+		 *
+		 * If the verification is for the current user, we destroy other sessions.
+		 */
+		if ( get_current_user_id() === $user->ID ) {
+			\wp_destroy_other_sessions();
+		} else {
+			$session_tokens = \WP_Session_Tokens::get_instance( $user->ID );
+			$session_tokens->destroy_all();
+		}
+
 		/**
 		 * Fires after a reader's email address is verified.
 		 *
@@ -819,15 +826,6 @@ public static function auth_cookie_expiration( $length, $user_id, $remember ) {
 				$length = YEAR_IN_SECONDS;
 			}
 		}
-
-		/**
-		 * If the session is authenticating a newly registered reader we want the
-		 * auth cookie to be short lived since the email ownership has not yet been
-		 * verified.
-		 */
-		if ( true === self::$is_new_reader_auth ) {
-			$length = 24 * HOUR_IN_SECONDS;
-		}
 		return $length;
 	}
 
@@ -1688,7 +1686,6 @@ public static function register_reader( $email, $display_name = '', $authenticat
 			Logger::log( 'Created new reader user with ID ' . $user_id );
 
 			if ( $authenticate ) {
-				self::$is_new_reader_auth = true;
 				self::set_current_reader( $user_id );
 			}
 		}