[TYPO3-dev] Severe error caused by "solution" of session fixation bug

[Marcus Krause]

Christopher Lörken schrieb am 02/06/2009 02:49 PM Uhr:
> Hello everyone,
> 
> I am afraid we have encountered severe problems with the hotfix of the
> session fixation bug (http://bugs.typo3.org/view.php?id=10205).
> 
> The current 4.2.5 version does never create an entry in the fe_sessions
> table for a user that is not logged in since the question
> 
>     if (!$id || !$this->isExistingSessionRecord($id)) {
>         make new id
>     }
>     
> will _always_ generate a new session id for not logged in users. Thus,
> they actually get a _new ID with every single link they visit_.
> 
> 
> We have a mediocre visited website with a couple of thousand visitors
> and an according high numbers of pageviews per day. The point is, that
> we get reports of users who *involuntarily hijack sessions of other users*.
> 
> If a user is not logged in and browses the page, he will get a chance to
>  hijack a user session every single time he presses a link. I admit that
> there is no big chance of this to happen, but it happened about 20 times
> the last week with users reporting the issue. You can be assured that
> not all users who experience that problem will report it.
> 
> 
> 
> My proposals for how to fix this problem:
> 
> isExistingSessionRecord does query the DB with the following command:
> $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
>     'COUNT(ses_id)',
>     $this->session_table,
>     'ses_id=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id,
> $this->session_table));
> 
> Sadly, this command completely ignores any IP lock that might have been
> configured. Probably a result of the hotfixiness nature of the past update.
> 
> I think adding the IP lock check to the query would (nearly) solve the
> problem for pages with IP lock enabled at level 4.

I see your point. Could you file a bug entry like "Check for existing
session records does not consider IP locks"!


Marcus.