[TYPO3-core] RFC #0013938: Backend session is locked to useragent
Helmut Hummel
helmut.hummel at typo3.org
Wed Jan 19 19:59:39 CET 2011
Hi,
On 19.01.11 19:05, Ernesto Baschny [cron IT] wrote:
>
>> I can keep my own private version of course but I prefer that everybody
>> gets a good fix.
>
> Understood. But disabling this security feature is just a "way around"
> and I thought only useful on these development machines where you use
> Firebug etc. I must confess I use Firebug a lot and it has never
> happened to me.
Probably you do not use FirePHP, which causes the user agent change,
because the PHP API does not send the extra headers to user agents which
do not contain the "FirePHP" keyword. Besides browser plugins, maybe
some stange proxies could change this header part.
Anyways, sometimes you have to find a tradeoff between a security
feature and usability. And the extra security lies in the fact that if
someone is able to get hold of your session id, then he or she must also
sniff your user agent. Not too hard, since both are transmitted in the
same place (HTTP header).
So I'm fine with the possibility to turn this off and would also accept
to change the default to not checking the user agent.
However besides the Firebug/ FirePHP issue, I also never had problem
with this check.
> So if it affects the customers, maybe there is another reason why they
> are logged off (e.g. IE8 when switching the "compatibility mode", which
> used to be a problem in older TYPO3 releases)?
Did you ever try to use a TYPO3 backend over a UMTS connection? If
you're lucky, it works. But of course this could also be caused by
changing IP adresses or content compression.
So knowing the cause of a logout (like you mentioned in the other post)
would be really helpfull.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list