[TYPO3-english] Problems staying logged in with two installs on same site
Marcus Krause
marcus#exp2009 at t3sec.info
Sun Jan 25 13:07:54 CET 2009
Walrick Bosch schrieb am 25.01.2009 09:59 Uhr:
>> Have you emptied all session cookies. As the changelog tells, there are
>> some changes in session fixation (security reason). Suppose this is
>> making the problem.
>>
>> Have no problem as far as I can see with 4 sites where 3 are subdomains.
>> Some problem because I had to clear cookies for each subsites, and this
>> made also session cookies on the other sites with same domain cleared,
>> and I had to re-login.
>>
>> You could also look at cookieDomian in Install tool, and see if setting
>> this to the full subdomain helps
>
> Hello Erik,
>
> Clearing all the cookies for the entire domain does not help.
>
> And the second site is just in a subdirectory, not a subdomain. And you
> can't set cookiedomain to a subdirectory. I tried that, but couldn't
> login anymore. (Kept getting the relogin screen.)
>
> So the problem remains.
Hi!
This won't work anymore. Until now, TYPO3 trusted all session ids; so if
your browser pretended to have SID "aaa..." TYPO3 used it to create a
user session if not existing. That's why you tricked your two
installations to use the same SID. Unfortunately this isn't only helpful
in your specific case but also opens the possibility to session fixation
vulnerability.
The only possible solution (which isn't implemented and therefore
currently not working) is to limit each session id cookie to the
subfolder, TYPO3 is existing in.
Example:
example.org/cms1/
example.org/cms2/
Please file a bugtracker entry for it if you like the described possible
solution!
Marcus.
More information about the TYPO3-english
mailing list