[TYPO3-dev] Severe error caused by "solution" of session fixation bug
Christopher Lörken
christopher at loerken.net
Fri Feb 6 15:39:07 CET 2009
Marcus Krause schrieb:
> I see your point. Could you file a bug entry like "Check for existing
> session records does not consider IP locks"!
>
Done:
http://bugs.typo3.org/view.php?id=10365
I am still quite uncomfortable with limiting the solution to a mere IP
lock check since it will not solve the problem for sites that have it
disabled...
Maybe there are better ways to provide new users with a unique
identifier... md5 prefixed by a timestamp for instance...
A random value simply isn't good enough for high traffic websites.
More information about the TYPO3-dev
mailing list