[TYPO3-dev] Severe error caused by "solution" of session fixation bug
Marcus Krause
marcus#exp2009 at t3sec.info
Fri Feb 6 15:14:34 CET 2009
Christopher Lörken schrieb am 02/06/2009 02:49 PM Uhr:
> Hello everyone,
>
> I am afraid we have encountered severe problems with the hotfix of the
> session fixation bug (http://bugs.typo3.org/view.php?id=10205).
>
> The current 4.2.5 version does never create an entry in the fe_sessions
> table for a user that is not logged in since the question
>
> if (!$id || !$this->isExistingSessionRecord($id)) {
> make new id
> }
>
> will _always_ generate a new session id for not logged in users. Thus,
> they actually get a _new ID with every single link they visit_.
>
>
> We have a mediocre visited website with a couple of thousand visitors
> and an according high numbers of pageviews per day. The point is, that
> we get reports of users who *involuntarily hijack sessions of other users*.
>
> If a user is not logged in and browses the page, he will get a chance to
> hijack a user session every single time he presses a link. I admit that
> there is no big chance of this to happen, but it happened about 20 times
> the last week with users reporting the issue. You can be assured that
> not all users who experience that problem will report it.
>
>
>
> My proposals for how to fix this problem:
>
> isExistingSessionRecord does query the DB with the following command:
> $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
> 'COUNT(ses_id)',
> $this->session_table,
> 'ses_id=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id,
> $this->session_table));
>
> Sadly, this command completely ignores any IP lock that might have been
> configured. Probably a result of the hotfixiness nature of the past update.
>
> I think adding the IP lock check to the query would (nearly) solve the
> problem for pages with IP lock enabled at level 4.
I see your point. Could you file a bug entry like "Check for existing
session records does not consider IP locks"!
Marcus.
More information about the TYPO3-dev
mailing list