[Typo3-dev] Notice: Loosing FE session in payment solution (3.6+)

Kasper Skårhøj kasper2004 at typo3.com
Wed Aug 4 11:02:24 CEST 2004


Hi Folks.

(For Your Information if anyone is interested)

I just tracked down a bug on an old site of mine with a payment solution
(using DIBS). on the site people would loose their session the moment
they wanted to pay the goods - but only if logged in as fe users!

The problem is that 3.6.0+ by default locks the FE session to the value
of HTTP_USER_AGENT. But the payment solution was based on a relay which
requests the page from TYPO3 and sends the FE cookie - but obviously the
HTTP_USER_AGENT of the relay would mismatch the HTTP_USER_AGENT of the
users browser - and the session was cancelled.

The solution now is a setting in TYPO3_CONF_VARS (CVS version) which can
disable this behaviour for those very special occasions where needed.

<TYPO3_CONF_VARS[FE]>
		'lockHashKeyWords' => 'useragent',		// Keyword list (Strings
commaseparated). Currently only "useragent"; If set, then the FE user
session is locked to the value of HTTP_USER_AGENT. This lowers the risk
of session hi-jacking. However some cases (like payment gateways) might
have to use the session cookie and in this case you will have to disable
that feature (eg. with a blank string).
</TYPO3_CONF_VARS[FE]>

-- 
- kasper

--------
Please notice NEW EMAIL ADDRESS for 2004!! (due to SPAM-contamination)
	
"kasper2004 at typo3.com"






More information about the TYPO3-dev mailing list