[TYPO3-english] Re: fe_typo_user cookie: Changes from 6.2.3 to 6.2.4

Tue Nov 18 11:51:03 CET 2014

Hi Helmut!

thanks for your quick response!

We have implemented the functionality of login via parameter ( GET /index.php?username=xyz ) via an extbase extension.
A rough description:

* Classes/Service/TerminalAccessService.php:
class TerminalAccessService extends \TYPO3\CMS\Sv\AbstractAuthenticationService {

/**
* Sets login credentials based on HTTP Basic Auth
*
* @param array $loginData
* @param string $passwordTransmissionStrategy
* @return integer
*/
public function processLoginData(&$loginData, $passwordTransmissionStrategy = '') {
        $loginData['uname'] = $_GET['username'];
        $loginData['uident'] = \TYPO3\CMS\Core\Utility\GeneralUtility::getRandomHexString(10);
        $loginData['uident_text'] = \TYPO3\CMS\Core\Utility\GeneralUtility::getRandomHexString(10);

        return TRUE;
}

/**
* Initializes the service and checks for availability
*
* @return boolean
*/
public function init() {
        $available = parent::init();
        if ($available) {
                if (!self::isAvailable()) {
                        $available = FALSE;
                }

        }
        return $available;
}

/**
* @return bool
*/
static public function isAvailable() {
        $iprange = $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['terminal_auth']['ipRangeForTerminal'];
        if ( cidr_match($_SERVER['REMOTE_ADDR'],$iprange) && isset($_GET['username'])) {  
             return TRUE;
        }
        return FALSE;
}

public function compareUident($user,$loginData,$passwordCompareStrategy='') {
 return TRUE;
}

public function authUser($user) {
        return 200;
}
}

* Classes/Hook/FrontendPreProcessRequestHook.php:
public function initializeTerminalAuthIfApplicable() {
        if (\Company\TerminalAuth\Service\TerminalAccessService::isAvailable()) {
                \TYPO3\CMS\Core\Utility\GeneralUtility::_GETset('login', 'logintype');
                $GLOBALS['TYPO3_CONF_VARS']['FE']['checkFeUserPid'] = FALSE;
        }
}

--

We have inspected the behaviour of Typo3 6.2.3 in more detail.
If we login using the URL parameter, the cookie is deleted and set again to the very same value:

> > Set-Cookie: fe_typo_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
> > Set-Cookie: fe_typo_user=6c3b39633e778b771c9289fcd0e4cfec; path=/; httponly

Nothing is stored in the table fe_session_data, but we have a long living entry in fe_session (joined with fe_users to display username and lastlogin):

| username      | ses_id                           | ses_name     | ses_iplock | ses_hashlock | ses_userid | ses_permanent | ses_data | lastaction          | lastlogin           |
| 12345678 at xyza | 6c3b39633e778b771c9289fcd0e4cfec | fe_typo_user | 192.168      |    112396423 |     296509 |             0 | NULL     | 2014-11-17 15:40:23 | 2014-11-17 15:40:21 |

Unfortunately, we do not have a explicit  logoff requests and no influence on that because the client boxes are under responsiblity of our vendor.
We only have login requests.

> The thing is, that during an authentication request (login) ->logoff() 
> is called to make sure no other session with that id is already present. 
> This means the logoff hooks I mentioned above are also called during 
> *login*! If there are hook subscribers that delete the session data, the 
> cookie will be removed (as logoff is requested and neither a session, 
> nor session data is present).

Helmut: is it possible to adapt our extension that the logoff hook is not called?
Then everything should be fine, except that we have to clean up the fe_session table from while to while ...

Best regards, Valentin