PMCORE-651 Web entry data is insecure because the Guest user's session overwrites the one of the user currently logged

workflow/engine/methods/login/checkContinueOrCloseSession.php

@@ -3,6 +3,9 @@
 if (!empty($_POST['form'])) {
     if (!empty($_POST['form']['buttonContinue'])) {
         $_SESSION['__WEBENTRYCONTINUE__'] = true;
+        if (!empty($_SESSION['USER_LOGGED'])) {
+            $_SESSION['__WEBENTRYCONTINUE_USER_LOGGED__'] = $_SESSION['USER_LOGGED'];
+        }
     }
     if (!empty($_POST['form']['buttonLogout'])) {
         $_SESSION = [];

workflow/engine/methods/services/webentry/anonymousLogin.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * This service is to start PM with the anonymous user.
  */
@@ -19,6 +20,12 @@ try {
     }
 
     $userUid = $webEntry->getUsrUid();
+
+    if (!empty($_SESSION['__WEBENTRYCONTINUE_USER_LOGGED__'])) {
+        $userUid = $_SESSION['__WEBENTRYCONTINUE_USER_LOGGED__'];
+        unset($_SESSION['__WEBENTRYCONTINUE_USER_LOGGED__']);
+    }
+
     $userInfo = UsersPeer::retrieveByPK($userUid);
     if (empty($userInfo)) {
         throw new Exception('WebEntry User not found');