[TYPO3-dev] Session Fixation "Feature" -> breaks Session Handling
Olivier Schopfer
ops at wcc-coe.org
Fri Nov 13 15:06:04 CET 2009
Martin Holtz wrote:
> Hi,
>
> i used sessions only via typoscript but it is not possible anymore.
>
> I removed the session fixation fix to get it running again:
>
> http://blog.martinholtz.de/blog-post/2009/01/25/session-verwenden-mit-typoscript/
>
> There was the simple solution to name an input-field in an special syntax:
>
> <form method="post">
> <label for="test">Namen eingeben:</label>
> <input id="test" type="text" value="" name="recs[ts][name]"
> action="###URL###" />
> <input type="submit" />
> </form>
>
> That stores the value in the session.
>
> With
>
> 10 = TEXT
> 10.data = TSFE:fe_user|sesData|recs|ts|name
>
> i can read it out.
>
> But with session-fixation fix, that solution does not work anymore.
>
> I tried to debug, but didnt really found the reason...
>
> any hint?
>
> thanks,
> martin
Friends,
I understand all what has been said, but it contradicts what is still in
the TSREF manual:
http://typo3.org/documentation/document-library/references/doc_core_tsref/4.2.0/view/1/14/#id4501321
With session-fixation, this feature doesn't work any longer.
In our case, it just unactivated our little online shop without any
warning! Bad...
Shouldn't a session be locked as soon as some data of the form
recs[table_name][uid_of_record] is posted?
Thanks.
Olivier
More information about the TYPO3-dev
mailing list