[Typo3-dev] Storing large Session data
Jean-Baptiste Rio
triphot69 at hotmail.com
Tue Jul 5 11:32:44 CEST 2005
Peter Russ wrote:
> 3.8.0?
> Just found:
> CHANGELOG:
> 2005-04-29 Kasper Skårhøj,,, <kasper at typo3.com>
>
> * Added default limit (10kb) on frontend user session data (set by
> TYPO3_CONF_VARS[FE][maxSessionDataSize]) and added a check that session
> data is saved only if a cookie is actually set. This closes a quite
> obvious hole for DoS attacks where requesting a TYPO3 URL something like
> "...index.php?id=1&recs[foo][bar]=[up to 2000 chars]" would fill 2kb of
> data into fe_session_data no questions asked. It is not a security
> problem but thousand such request (with eg. "ab") would mean 2 megabyte
> of junk in the database... Spamming that table is now considerably more
> complicated. However this setting might break applications storing large
> amounts of user session data, but for the average shopping plugin it
> should be unaffected.
>
> Regs. Peter.
>
I need to store large data in session data, in order to avoir a GET
parameter security breach attempt.
Is it possible to change the way it is limited in order to allow
unlimited size when setKey is used and to limit when requesting a TYPO3
URL ?
JB
More information about the TYPO3-dev
mailing list