[TYPO3-dev] Session Fixation "Feature" -> breaks Session Handling
Steffen Ritter
info at rs-websystems.de
Thu Mar 26 09:19:10 CET 2009
Armin Günther schrieb:
> Hi,
>
> I recently stumbled across the same problem as Martin described in the
> opening post of this thread: Session handling for anonymous users is
> broken by the session fixation feature. The problem is pretty well
> documented as bug 0010205 in the bugtacker and is treated as "resolved"
> but for me the problem still exists (even after
> <file_download.php?file_id=6539&type=bug>bug_10205_v5.patch).
> <file_download.php?file_id=6539&type=bug>
>
> I used setKey() and getKey() to store and retriev date in
> fe_session_data for anonymous(!) users; table fe_sessions remains empty
> This doesn't work any more for me (v. 4.2.6) in general, only after
> setting <file_download.php?file_id=6539&type=bug>
>
> $TYPO3_CONF_VARS['FE']['maxSessionDataSize'] = 0
> <file_download.php?file_id=6539&type=bug>
>
> as Martin detected (thanx!) or commenting out
> <file_download.php?file_id=6539&type=bug>
>
> !$this->isExistingSessionRecord($id)
> <file_download.php?file_id=6539&type=bug>
>
> in t3lib_userauth row 229 as it is recommended for example here:
> <file_download.php?file_id=6539&type=bug>http://blog.artif-orange.de/typo3
> <file_download.php?file_id=6539&type=bug>
>
> Both solutions obviously are only workarounds and I wonder if this
> problem is still on the agenda of some core developers - whom by the way
> I would like to express my gratitude for their great work!
>
> Armin
>
AFAIK you have to explicitely save into the session after setKey, for
anonymous users, for logged on it should work automatically.
This is what I get rom "Session troubles" topic from 23.03.2009,
Sebastian van Parijs and corresponding answers.
Have a look at it...
regards
Steffen
More information about the TYPO3-dev
mailing list