Merge 4b6c248296 into 666b4094b4

The ALC token is no longer rotated during an active login. Also removed related
`replace_token_during_session_renewal` config. The extension point that was
previously provided in the `renew()` method has been renamed and is now triggered
externally in the `CookieAuthenticationHandler::authenticateRequest()` method.

src/Control/Controller.php

@@ -627,9 +627,8 @@ class Controller extends RequestHandler implements TemplateGlobalProvider
      * Caution: All parameters are expected to be URI-encoded already.
      *
      * @param string|array $arg One or more link segments, or list of link segments as an array
-     * @return string
      */
-    public static function join_links($arg = null)
+    public static function join_links($arg = null): string
     {
         if (func_num_args() === 1 && is_array($arg)) {
             $args = $arg;

src/Security/MemberAuthenticator/CookieAuthenticationHandler.php

@@ -175,22 +175,8 @@ class CookieAuthenticationHandler implements AuthenticationHandler
             $this->cascadeInTo->logIn($member, false, $request);
         }
 
-        // Renew the token
-        Deprecation::withSuppressedNotice(fn() => $rememberLoginHash->renew());
-
-        // Send the new token to the client if it was changed
-        if ($rememberLoginHash->getToken()) {
-            $tokenExpiryDays = RememberLoginHash::config()->uninherited('token_expiry_days');
-            Cookie::set(
-                $this->getTokenCookieName(),
-                $member->ID . ':' . $rememberLoginHash->getToken(),
-                $tokenExpiryDays,
-                null,
-                null,
-                false,
-                true
-            );
-        }
+        // Session renewal hook
+        $rememberLoginHash->extend('onAfterRenewSession');
 
         // Audit logging hook
         $member->extend('memberAutoLoggedIn');

src/Security/RememberLoginHash.php

@@ -82,15 +82,6 @@ class RememberLoginHash extends DataObject
      */
     private static $force_single_token = false;
 
-    /**
-     * If true, the token will be replaced during session renewal. This can cause unexpected
-     * logouts if the new token does not reach the client (e.g. due to a network error).
-     *
-     * This can be disabled as of CMS 5.3, and renewal will be removed entirely in CMS 6.
-     * @deprecated 5.3.0 Will be removed without equivalent functionality
-     */
-    private static bool $replace_token_during_session_renewal = true;
-
     /**
      * The token used for the hash. Only present during the lifetime of the request
      * that generates it, as the hash representation is stored in the database and
@@ -201,28 +192,6 @@ class RememberLoginHash extends DataObject
         return $rememberLoginHash;
     }
 
-    /**
-     * Generates a new hash for this member but keeps the device ID intact
-     *
-     * @deprecated 5.3.0 Will be removed without equivalent functionality
-     * @return RememberLoginHash
-     */
-    public function renew()
-    {
-        // Only regenerate token if configured to do so
-        Deprecation::notice('5.3.0', 'Will be removed without equivalent functionality');
-        $replaceToken = RememberLoginHash::config()->get('replace_token_during_session_renewal');
-        if ($replaceToken) {
-            $hash = $this->getNewHash($this->Member());
-            $this->Hash = $hash;
-        }
-
-        $this->extend('onAfterRenewToken', $replaceToken);
-        $this->write();
-
-        return $this;
-    }
-
     /**
      * Deletes existing tokens for this member
      * if logout_across_devices is true, all tokens are deleted, otherwise