[TYPO3-dev] Is config key 'cookieDomain' worth a patch?
Marcus Krause
marcus#exp2009 at t3sec.info
Sun Jan 4 07:55:28 CET 2009
Dmitry Dulepov schrieb am 03.01.2009 14:09 Uhr:
> Hi!
>
> Xavier Perseguers wrote:
>> ==== WHAT I SUGGEST ====
>>
>> 1) Either create a second cookieDomain parameter to be used for FE (or BE)
>> 2) Better would be to add this configuration property to the domain
>> record itself. This way it would fall back to current behaviour if not
>> configured but would allow me to handle even more complex scenario.
>>
>>
>> What is your point of view? TYPO3 4.3 is not yet out and thus it would
>> still be time to do this.
>
> My suggestion for typo3conf/localconf.php in such cases:
>
> if (TYPO3_MODE == 'BE') {
> $TYPO3_CONF_VARS['SYS']['cookieDomain'] = $_SERVER['HTTP_HOST'];
> }
> else {
> $TYPO3_CONF_VARS['SYS']['cookieDomain'] = '.domain.tld';
> }
In this case you should know what you are doing. By that, in regards to
security, you are exposing Session IDs to all subdomains. This fine if
you are the owner of _all_ subdomains and can ensure that there is and
won't be no malicious code on those subdomains.
Marcus.
--
Member TYPO3 Security Team
More information about the TYPO3-dev
mailing list