[TYPO3-dev] session problems (Involuntary hijacking) - fe_typo_user changes every time
Marcus Krause
marcus#exp2009 at t3sec.info
Fri Feb 6 14:59:57 CET 2009
Christopher Lörken schrieb am 02/06/2009 11:43 AM Uhr:
> Hi and thanks for your answer.
>
> I've just tried livehttpheader and FireCookie.
>
> The one thing which really confuses me and desn't look right to me is
> that the fe_typo_user value changes every time I click a link when I'm
> not logged in...
>
> Example:
>
> Deleted all cookies and hit main page:
> ad66a1488374654cebbc60ffdd14bec6
> clicked on forum:
> 8edb39650c085dac9b44da9ae631fe86
> back to main page:
> 0e24b2152fa05dccd9f44d5edc1f6478
>
> Is this kind of behavior right or is anything going wrong?
> Whenever I am logged in, the fe_typo_user value stays the same.
>
> Not that clicking around on the site a lot will eventually lead to a
> cookie id that is already used for a session resulting in the hijack?
>
> This is indeed a behavior I do not get when visiting typo3.org or
> typo3.net which both seem to use older Typo3 versions since they still
> have the fe_typo_user id that is limited to 10 characters. A security
> flaw, which has indeed resulted in involuntary session hijacking before.
> Compare this post of Dmitry:
> http://lists.netfielders.de/pipermail/typo3-team-core/2008-September/019185.html
I'm not aware of any highjacking of sessions due to 10 char limitation.
> We have roughly 5000 unique IPs hitting the site each day and close to
> 2000 unique users that log in within 24 hours. Every user seems to store
> multiple entries in fe_sessions, the chance to hit one by random seems
> at least given to me...
SIDs change only if a user isn't logged in. Of course there's a
possibility that two users get the same SID. But this is more
theoretically - like winning a lottery and immediately get hit by a
thunderbolt. And then a SID might be limited to a full IP or parts of
the IP.
Marcus.
More information about the TYPO3-dev
mailing list