[TYPO3-dev] AJAX ReLogin does not work
Marcus Krause
marcus#exp2009 at t3sec.info
Fri Apr 3 17:27:39 CEST 2009
Niels Pardon schrieb am 04/03/2009 02:59 PM Uhr:
> Niels Pardon schrieb:
>> $_SESSION['login_challenge'] before the update in backend.php:
>> dcc5a2bb54631da50371d8aa7eba7fae
>>
>> $_SESSION['login_challenge'] after the update in backend.php:
>> b7d8038cce3df6570c7d52a6cfeac9e6
>> (This is the value put in the JS)
>>
>> $_SESSION['login_challenge'] in the AJAX request to
>> /typo3/ajax.php?ajaxID=BackendLogin%3A%3AisTimedOut&skipSessionUpdate=1:
>> 32aed7785d3faf4b7a329fe8c5223f00
>>
>> So why do we have 3 different login challenges during one session?
>
> It seems that as soon as the login expires in the background the page
> containing the "click here to re-login" link (the old one) is loaded and
> therefore a new login challenge is generated by backend.php. Although
> this is not visible to user.
I'm not into this relogin stuff but will leave a comment:
When is this "popup" fired up, before or after a user session expires?
If it's after, then the previous session ID is no longer valid. That's
what the session fixation fix does; prevent tricking TYPO3 to use a not
valid session ID.
If it's after the whole process, the "relogin" is/should be the usual
authentication.
Marcus.
More information about the TYPO3-dev
mailing list