[TYPO3-v4] Configurable cookie name feature breaks rsaauth
Helmut Hummel
helmut.hummel at typo3.org
Sun Sep 25 12:25:29 CEST 2011
Hi,
while investigating why rsaauth for felogin does not work, I stumbled
over this change:
https://review.typo3.org/#change,2373,patchset=9
especailly:
https://review.typo3.org/#patch,unified,2373,9,typo3/sysext/cms/tslib/index_ts.php
These changes rely on a PHP session being started for every request in
the frontend, which we agreed is not a good thing.
Can anybody involved in this change look into it and change it to not
rely on the PHP session? Thanks.
I will take care to fix rsaauth, which just checks if the $_SESSION var
is an array and not if the session really is started.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list