[Typo3-dev] Notice: Loosing FE session in payment solution (3.6+)
Kasper Skårhøj
kasper2004 at typo3.com
Wed Aug 4 11:02:24 CEST 2004
Hi Folks.
(For Your Information if anyone is interested)
I just tracked down a bug on an old site of mine with a payment solution
(using DIBS). on the site people would loose their session the moment
they wanted to pay the goods - but only if logged in as fe users!
The problem is that 3.6.0+ by default locks the FE session to the value
of HTTP_USER_AGENT. But the payment solution was based on a relay which
requests the page from TYPO3 and sends the FE cookie - but obviously the
HTTP_USER_AGENT of the relay would mismatch the HTTP_USER_AGENT of the
users browser - and the session was cancelled.
The solution now is a setting in TYPO3_CONF_VARS (CVS version) which can
disable this behaviour for those very special occasions where needed.
<TYPO3_CONF_VARS[FE]>
'lockHashKeyWords' => 'useragent', // Keyword list (Strings
commaseparated). Currently only "useragent"; If set, then the FE user
session is locked to the value of HTTP_USER_AGENT. This lowers the risk
of session hi-jacking. However some cases (like payment gateways) might
have to use the session cookie and in this case you will have to disable
that feature (eg. with a blank string).
</TYPO3_CONF_VARS[FE]>
--
- kasper
--------
Please notice NEW EMAIL ADDRESS for 2004!! (due to SPAM-contamination)
"kasper2004 at typo3.com"
More information about the TYPO3-dev
mailing list