[TYPO3-english] fe_typo_user cookie: Changes from 6.2.3 to 6.2.4

Helmut Hummel helmut.hummel at typo3.org
Sat Nov 15 19:03:50 CET 2014


Hi!

On 13.11.14 13:28, Valentin R wrote:

> we have an extranet with a closed usergroup where the users can login using their username as a parameter to the URL. (This is not a security issue because the user does not have any influence on this parameter)!

How did you implement this functionality?

> If the user wants to login but already has got the fe_typo_user cookie

A cookie is only sent if there is something stored in an (anonymous) 
session (fe_session_data table).

> the behaviour was as follows using Typo3 6.2.3 (shortened output of tcpdump):

> Set-Cookie: fe_typo_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
> Set-Cookie: fe_typo_user=6c3b39633e778b771c9289fcd0e4cfec; path=/; httponly
>
> The old cookie was deleted and a new cookie is set and therefore the user is logged in successfully!

Which is still buggy, as the cookie should neither have been deleted, 
nor set again (browser sent the cookie, there is a session id already 
which is now going to be used for the authenticated session.

> If the user wants to login but already has got the fe_typo_user cookie the behaviour was as follows using Typo3 6.2.4+ (shortened output of tcpdump):

> Set-Cookie: fe_typo_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/

This only happens, if you make use of the logoff_pre_processing or 
logoff_post_processing and delete the session data (fe_session_data 
table) belonging the the current session id.

The thing is, that during an authentication request (login) ->logoff() 
is called to make sure no other session with that id is already present. 
This means the logoff hooks I mentioned above are also called during 
*login*! If there are hook subscribers that delete the session data, the 
cookie will be removed (as logoff is requested and neither a session, 
nor session data is present).

HTH

Kind regards,
Helmut

-- 
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 CMS Active Contributor, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org


More information about the TYPO3-english mailing list