[TYPO3-dev] AJAX ReLogin does not work

[Niels Pardon]

Hi Marcus!

Good to have you in the discussion!

Marcus Krause schrieb:
> Niels Pardon schrieb am 04/03/2009 02:59 PM Uhr:
>> Niels Pardon schrieb:
>>> $_SESSION['login_challenge'] before the update in backend.php:
>>> dcc5a2bb54631da50371d8aa7eba7fae
>>>
>>> $_SESSION['login_challenge'] after the update in backend.php:
>>> b7d8038cce3df6570c7d52a6cfeac9e6
>>> (This is the value put in the JS)
>>>
>>> $_SESSION['login_challenge'] in the AJAX request to
>>> /typo3/ajax.php?ajaxID=BackendLogin%3A%3AisTimedOut&skipSessionUpdate=1:
>>> 32aed7785d3faf4b7a329fe8c5223f00
>>>
>>> So why do we have 3 different login challenges during one session?
>> It seems that as soon as the login expires in the background the page
>> containing the "click here to re-login" link (the old one) is loaded and
>> therefore a new login challenge is generated by backend.php. Although
>> this is not visible to user.
> 
> I'm not into this relogin stuff but will leave a comment:
> 
> When is this "popup" fired up, before or after a user session expires?
> 
> If it's after, then the previous session ID is no longer valid. That's
> what the session fixation fix does; prevent tricking TYPO3 to use a not
> valid session ID.
> 
> If it's after the whole process, the "relogin" is/should be the usual
> authentication.

There is a countdown displayed 120 seconds before the login expires. If
you don't react on that countdown the user gets logged out and the login
window is displayed.

The problem is that the login challenge for the relogin window is
generated directly after the initial login.

If the user session is no longer valid after the user is logged out
(when the session expires) then it makes sense that the relogin does not
work.

This would mean we can't generate the login challenge for the relogin
after the first login but have to get it directly after the logout.

Am I right with that assumption?

Greets,

Niels