[TYPO3-dev] session problems (Involuntary hijacking) - fe_typo_user changes every time
Christopher Lörken
christopher at loerken.net
Fri Feb 6 11:43:39 CET 2009
Hi and thanks for your answer.
I've just tried livehttpheader and FireCookie.
The one thing which really confuses me and desn't look right to me is
that the fe_typo_user value changes every time I click a link when I'm
not logged in...
Example:
Deleted all cookies and hit main page:
ad66a1488374654cebbc60ffdd14bec6
clicked on forum:
8edb39650c085dac9b44da9ae631fe86
back to main page:
0e24b2152fa05dccd9f44d5edc1f6478
Is this kind of behavior right or is anything going wrong?
Whenever I am logged in, the fe_typo_user value stays the same.
Not that clicking around on the site a lot will eventually lead to a
cookie id that is already used for a session resulting in the hijack?
This is indeed a behavior I do not get when visiting typo3.org or
typo3.net which both seem to use older Typo3 versions since they still
have the fe_typo_user id that is limited to 10 characters. A security
flaw, which has indeed resulted in involuntary session hijacking before.
Compare this post of Dmitry:
http://lists.netfielders.de/pipermail/typo3-team-core/2008-September/019185.html
On your t3node.com site Steffen, it is the same. The fe_typo_user
changes with every visited link.
We have roughly 5000 unique IPs hitting the site each day and close to
2000 unique users that log in within 24 hours. Every user seems to store
multiple entries in fe_sessions, the chance to hit one by random seems
at least given to me...
For example, my account has 3 entries in the session table, all of them
with the same ses_user_id and the same ses_iplock. Even the ses_hashlock
is the same for two of them...
Any ideas?
This is starting to really look like a bad bug to me and not like a mere
configuration problem.
Cheers,
Christopher
Steffen Müller schrieb:
> Hi.
>
> On 05.02.2009 12:35 Christopher Lörken wrote:
>>> - sniffed network traffic (domain D sets cookie C, cookie details are
>>> shown in browser as XXX, browser sends slightly modified cookie C back
>>> to domain)
>> Don't know how to do that.
>>
>
> Use liveHttpHeader add-on:
> http://livehttpheaders.mozdev.org/
>
> Not a "classic" sniffer, but sufficient to see what cookie data is
> sent/received.
>
More information about the TYPO3-dev
mailing list