[TYPO3-dev] Severe error caused by "solution" of session fixation bug

Christopher Lörken christopher at loerken.net
Fri Feb 6 14:49:16 CET 2009 

Hello everyone,

I am afraid we have encountered severe problems with the hotfix of the 
session fixation bug (http://bugs.typo3.org/view.php?id=10205).

The current 4.2.5 version does never create an entry in the fe_sessions 
table for a user that is not logged in since the question

	if (!$id || !$this->isExistingSessionRecord($id)) {
		make new id
	}
	
will _always_ generate a new session id for not logged in users. Thus, 
they actually get a _new ID with every single link they visit_.


We have a mediocre visited website with a couple of thousand visitors 
and an according high numbers of pageviews per day. The point is, that 
we get reports of users who *involuntarily hijack sessions of other users*.

If a user is not logged in and browses the page, he will get a chance to 
  hijack a user session every single time he presses a link. I admit 
that there is no big chance of this to happen, but it happened about 20 
times the last week with users reporting the issue. You can be assured 
that not all users who experience that problem will report it.



My proposals for how to fix this problem:

isExistingSessionRecord does query the DB with the following command:
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
	'COUNT(ses_id)',
	$this->session_table,
	'ses_id=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, $this->session_table));

Sadly, this command completely ignores any IP lock that might have been 
configured. Probably a result of the hotfixiness nature of the past update.

I think adding the IP lock check to the query would (nearly) solve the 
problem for pages with IP lock enabled at level 4.


The probably better solution would be to properly implement Marcus's 
proposition #2 of http://bugs.typo3.org/view.php?id=10205
Even if it stresses the DB more.

As far as I am concerened I can happily live with a bit more DB stress 
if it ensures me that my users do not involuntarily hijack other's sessions.


Opinions?


Cheers Christopher


(By the way, sorry to repost this as a new topic, but this list is very 
active and I've written it in the fixation thread above but have the 
impression that those people who chat about free extJS or stuff like 
that oversaw my post. And if I am not completely wrong with my analysis 
this is of much more importance than what will eventually be included in 
  version 4.2. No offence :) )

More information about the TYPO3-dev mailing list