[Typo3-dev] Storing large Session data
Peter Russ
peter.russ at 4many.net
Tue Jul 5 11:08:50 CEST 2005
Volker Biberger wrote:
> Hi there,
>
> I have run into Problems using the sessiondata-system of Typo3
> (Frontend). When I try to store a huge array with
> $GLOBALS["TSFE"]->fe_user->setKey('ses','tx_myextension',$this->session_vars);
>
> and retrieve it afterwards all data ist lost. I tried with smaler arrays
> and it worked.
>
> Is this a known bug and/or is there a way to work around this?
>
> thanks in advance
> Volker Biberger
>
3.8.0?
Just found:
CHANGELOG:
2005-04-29 Kasper Skårhøj,,, <kasper at typo3.com>
* Added default limit (10kb) on frontend user session data (set by
TYPO3_CONF_VARS[FE][maxSessionDataSize]) and added a check that session
data is saved only if a cookie is actually set. This closes a quite
obvious hole for DoS attacks where requesting a TYPO3 URL something like
"...index.php?id=1&recs[foo][bar]=[up to 2000 chars]" would fill 2kb of
data into fe_session_data no questions asked. It is not a security
problem but thousand such request (with eg. "ab") would mean 2 megabyte
of junk in the database... Spamming that table is now considerably more
complicated. However this setting might break applications storing large
amounts of user session data, but for the average shopping plugin it
should be unaffected.
Regs. Peter.
--
_____________________________
4Many® Services
openBC: http://www.openbc.com/go/invuid/Peter_Russ
More information about the TYPO3-dev
mailing list