[TYPO3-english] Security non sense in felogin ?

Ernesto Baschny [cron IT] ernst at cron-it.de
Mon Sep 27 19:34:30 CEST 2010


Tonix (Antonio Nati) schrieb am 27.09.2010 18:28:
>  I'm examining felogin (TYPO3 4.2), and I see each time it publishes an
> hidden field with the storage PID of users.
> Is there any reason to publish such information on website, when there
> are dozens of ways to pass the information to plugin?
> If I force a logout, adding a simple logintype=Logout, without pid
> field, it works without problems. So why adding this internal information?

Your installation might have different SysFolders for users (multiple
sites, multiple trees, etc). When the login is submitted, TYPO3 will
authenticate the user before any typoscript or realurl is parsed, so he
doesn't really have any other information at hand to decide which
sysfolder to take.

Passing them via "POST" might not seem to be the most beautiful way, but
its the easiest.

Do you have any concrete drawbacks in mind?

Cheers,
Ernesto


More information about the TYPO3-english mailing list