[TYPO3-dev] Session Fixation "Feature" -> breaks Session Handling
Martin Holtz
typo3ng_2008 at martinholtz.de
Mon Mar 9 10:24:00 CET 2009
Hi Christopher,
you gave me a hint where i had to look - thanks:)
> I'm not entirely sure if I understood what you are trying to do but:
>
> Are you trying to store something in a user session for users who are
> not logged in to the page?
exactly
> If yes, your problem might be, that the last Typo3 update changed the
> behavior to generating a new session id for not logged in users on every
> page load.
>
> That means:
> visit frontpage -> new session id
> visit forum -> new session id
> visit news -> new session id
> read news -> new session id
yes, thats the problem.
> This behavior is caused by the session fixation code as you have
> correctly identified. The session id only stays static for logged in users.
well, thats not correct. If there is data in fe_session_data, the
session will not be changed.
But if you are not logged in, and there is no extension which saves
something in fe_session_data there will be allways a new session id.
I now found an workaround without removing session-fixation fix:
Set
$TYPO3_CONF_VARS['FE']['maxSessionDataSize'] = 0;
the reason is:
in class.tslib_feuserauth.php
in function record_registration
there is an if statement:
if (!$maxSizeOfSessionData || $this->cookieId===$this->id)
So, the cookieId is allways != $this->id if you are not logged in. But
setting $maxSizeOfSessionData=0 helps. But then it would be possible to
bloat the Database.
So, it is not really a good solution.
regards,
martin
--
Martin Holtz - elemente websolutions http://www.elemente-websolutions.ms
DocTeam: http://forge.typo3.org/projects/show/team-docteam
http://wiki.typo3.org/Ts45min - TypoScript in "45" minutes
http://wiki.typo3.org/De:ts45min - (auch in Deutsch)
More information about the TYPO3-dev
mailing list