[*] Rework session destroy into customer session clean

[sfritzsche]

Description (*)

Before:

The current session (incl. cart items) making a password “forget” request is destroyed as soon as a password request with a formally correct email address is received.

After:

The process is only triggered if the email address really exists.
If it does, only the customer session associated with the email address is reset and not the session that “requested” it.

Fixed Issues

1. Fixes The shopping cart will be emptied as soon as the forgot password process has been started #39021

Manual testing scenarios (*)

1. add a product to the shopping cart.
2. start the "Forgot password" process on the "/customer/account/forgotpassword" page with a formally correct email address.
3. the product is still in the shopping cart.

[m2-assistant]

Hi @sfritzsche. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.

Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento give me test instance - deploy test instance based on PR changes
• @magento give me 2.4-develop instance - deploy vanilla Magento instance

❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[sfritzsche]

@magento run all tests

[sfritzsche]

@magento run all tests

[sfritzsche]

@magento run all tests

[sfritzsche]

@magento run all tests

[igorwulff]

Hi @sfritzsche, for a client of ours we are looking at exactly the same issue. I have been looking at the PR and I'm not sure if the clearFor call is really needed?

When only removing the $this->session->destroy line everything seems to be working in correct order. So I'm wondering in what scenario the other part of this PR is needed?

The clearFor call also causes a possible place for misbehaviour since this controller could get used to spam a lot of update calls to the database or be used to clear sessions for other accounts.

[sfritzsche]

Hi @igorwulff, this issue/pull-request was one of many that day. Unfortunately, I didn't have time to familiarize myself with the exact processes. However, I had seen in the history of the file that the last commit concerned exactly this line:

7014da9

The title of the commit “Reset password issue using a different browser to login” made me assume that there was an important reason to include the line. (@abukatar)

A second reason for the conversion to “clearFor” was an older ticket on the same topic:

#14530

There, the same line was converted in the same way.

In theory, I would agree with you that there should theoretically be no need to reset anything in the user's session for the “Reset password” process.

But it really wasn't within my time frame to check the details.

[sfritzsche]

@magento run all tests

[sfritzsche]

@magento run all tests