[TYPO3-dev] Authservice: autologin via longer cookie lifetime - not even localconf-value FE[lifetime] -> BUG + FeatureRequest

Franz Koch typo3 at fx-graefix.de
Tue May 23 03:01:37 CEST 2006 

Hi list,

I'm trying to code a small authentication service for typo3 4.0 that provides the possibility to enable "autologin" that can be activated or deactivated on a per login basis (http-post value through a checkbox or whatever). My service authenticates the user (well - it allready is, I only set a cookie-lifetime) and everything seems ok with "active" logins. The cookie also has the expected lifetime.

By simmulating a future date the autologin fails - even if the cookie hasn't expired. The same occurs if I set the FE value "FE[lifetime]" in installtool to any value (let's say 3600*24*7) which should enable general autologin for fe_users. When moving the clock 1 hour forward - the login fails.

I think this is caused by the function "fetchUserSessoin" in class.t3lib_userauth.php that is used to fetch a stored sessionkeys. This function is also used to find a valid sessionkey for the session-hash stored in the fe_user cookie. The only problem is, that this function is not aware of the setting "FE[lifetime]" - it uses the variable "$this->auth_timeout_field" for the timeout calculation which is always(?) 1 hour (3600). After setting the variable "auth_timeout_field" to $this->lifetime the autologin works as expected.

Solution: "auth_timeout_field" has to be set to "lifetime" and this has to be done before the call "$this->checkAuthentication()" around line 286 in class.t3lib_userauth.php. Would be nice if somebody could confirm this to get into 4.1.



Anyway - solving this bug doesn't enable the possibility for authservices to override the timeout variable. The only currently easy way to override is XCLASSing class.t3lib_userauth.php as it seems. It'll be nice if there would be also the possibility for a authservice to override certian values before something is processed. Or maybe services for something like "authUserSessionFE". What are the thoughts about this?

If anybody has an idea how I could achieve my goal - you're very welcome to share your thoughts :)
Well, I could enable general autologin with FE[lifetime] and then limit the cookie lifetime with an authservice - but I don't like this as sessions could somehow be reused I guess.

-- 
Kind regards,
Franz Koch

More information about the TYPO3-dev mailing list