[TYPO3-dev] AJAX ReLogin does not work

Dan Osipov dosipov at phillyburbs.com
Fri Apr 3 17:49:34 CEST 2009 

I've experienced an issue (http://bugs.typo3.org/view.php?id=10800) 
where the login box doesn't appear at all - and I think that's because 
the session expires. The 120 second count is not based on the server 
session time, but on the client - so you might already be logged out 
even though the counter is still going.

I really hope this is fixed by the release, as otherwise I would get a 
lot of complaints...

Dan Osipov
Calkins Media
http://danosipov.com/blog/

Niels Pardon wrote:
> Hi Marcus!
> 
> Good to have you in the discussion!
> 
> Marcus Krause schrieb:
>> Niels Pardon schrieb am 04/03/2009 02:59 PM Uhr:
>>> Niels Pardon schrieb:
>>>> $_SESSION['login_challenge'] before the update in backend.php:
>>>> dcc5a2bb54631da50371d8aa7eba7fae
>>>>
>>>> $_SESSION['login_challenge'] after the update in backend.php:
>>>> b7d8038cce3df6570c7d52a6cfeac9e6
>>>> (This is the value put in the JS)
>>>>
>>>> $_SESSION['login_challenge'] in the AJAX request to
>>>> /typo3/ajax.php?ajaxID=BackendLogin%3A%3AisTimedOut&skipSessionUpdate=1:
>>>> 32aed7785d3faf4b7a329fe8c5223f00
>>>>
>>>> So why do we have 3 different login challenges during one session?
>>> It seems that as soon as the login expires in the background the page
>>> containing the "click here to re-login" link (the old one) is loaded and
>>> therefore a new login challenge is generated by backend.php. Although
>>> this is not visible to user.
>> I'm not into this relogin stuff but will leave a comment:
>>
>> When is this "popup" fired up, before or after a user session expires?
>>
>> If it's after, then the previous session ID is no longer valid. That's
>> what the session fixation fix does; prevent tricking TYPO3 to use a not
>> valid session ID.
>>
>> If it's after the whole process, the "relogin" is/should be the usual
>> authentication.
> 
> There is a countdown displayed 120 seconds before the login expires. If
> you don't react on that countdown the user gets logged out and the login
> window is displayed.
> 
> The problem is that the login challenge for the relogin window is
> generated directly after the initial login.
> 
> If the user session is no longer valid after the user is logged out
> (when the session expires) then it makes sense that the relogin does not
> work.
> 
> This would mean we can't generate the login challenge for the relogin
> after the first login but have to get it directly after the logout.
> 
> Am I right with that assumption?
> 
> Greets,
> 
> Niels

More information about the TYPO3-dev mailing list