[TYPO3-dev] einfachen User Login in einer Session speichern?

David Bruchmann typo3-dev at bruchmann-web.de
Wed Jul 29 23:49:15 CEST 2009


----- Ursprüngliche Nachricht -----
Von:        Gerhard Mehsel <sparking at gmx.net>
Gesendet:   Dienstag, 21. Juli 2009 09:45:36
An:         typo3-dev at lists.netfielders.de
CC:
Betreff:    Re: [TYPO3-dev] einfachen User Login in einer Session speichern?

> I want to set the user data like this:
>   $GLOBALS["TSFE"]->fe_user->setKey("user","password", 12346);
> 
> My question: is this kind of TYPO3 session save enough to put the 
> username and password in it or should I store this information in an 
> other way?

Normally it's no goog idea to save passwords or other personal data in 
sessions. If it's really needed you've to assure that the page or the 
session can't be read from "men in the middle" or hijacked at all.

For general information:
http://www.heise.de/security/Einfallstor-Browser--/artikel/115254 [de]
http://insecure.org/
Both links don't cover all possible security-holes I think, but it's a 
start for informing yourself.

By the way: "men in the middle" often are in the own or the customers 
company. So they have access to logarithms do decode weak and bad 
encrypted passwords (or without salt in passwords they just use 
rainbowtables). Saving (and transmitting) unencrypted passwords in 
sessions is unbelievable anyway.


Best regards
David







More information about the TYPO3-dev mailing list