[TYPO3-english] fe_typo_user cookie: Changes from 6.2.3 to 6.2.4

Helmut Hummel helmut.hummel at typo3.org
Fri Nov 21 16:57:14 CET 2014 

Hi Valentin!

On 18.11.14 11:51, Valentin R wrote:

> We have implemented the functionality of login via parameter ( GET /index.php?username=xyz ) via an extbase extension.
> A rough description:

Looks fine so far, except that you are authenticating the user on every 
request (forcing logintype set to login)

> We have inspected the behaviour of Typo3 6.2.3 in more detail.
> If we login using the URL parameter, the cookie is deleted and set again to the very same value:
>
>>> Set-Cookie: fe_typo_user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
>>> Set-Cookie: fe_typo_user=6c3b39633e778b771c9289fcd0e4cfec; path=/; httponly
>
> Nothing is stored in the table fe_session_data, but we have a long living entry in fe_session (joined with fe_users to display username and lastlogin):
>
> | username      | ses_id                           | ses_name     | ses_iplock | ses_hashlock | ses_userid | ses_permanent | ses_data | lastaction          | lastlogin           |
> | 12345678 at xyza | 6c3b39633e778b771c9289fcd0e4cfec | fe_typo_user | 192.168      |    112396423 |     296509 |             0 | NULL     | 2014-11-17 15:40:23 | 2014-11-17 15:40:21 |

Where does this session come from?
I assume from from a previous request.

> Helmut: is it possible to adapt our extension that the logoff hook is not called?
> Then everything should be fine, except that we have to clean up the fe_session table from while to while ...

The logoff hook is not an issue in your case (session data is empty).

The issue is that a cookie is obiously set during a first login request 
and in a second request your are going to pretend that credentials have 
been sent once again, this the complete authentication process is 
started again.

As outlined before, the authentication process starts by clearing up 
session records that are present for the given cookie to avoid unwnated 
re-use of session records.

Then FrontendUserAuthentication::logoff()

does not find a session any more for the cookie but recognizes that a 
cookie was sent in this request thus correctly removes the cookie again.

I could reproduce the behavior by re-submitting the login form directly 
after a successful login.

A quick fix for you could be to implement the initAuth method in your 
service class and set the forceSetCookie property of the passed user 
authentication object to TRUE.

It would be cleaner though, if you would kick your 
FrontendPreProcessRequestHook

set

$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup']['FE_fetchUserIfNoSession'] 
= TRUE;

in your configuration

implement the getUser method (and register your auth service to use it)
and fetch the user from the database from the passed username and return it.

The benefit of the second suggestion would be that after one successful 
login, the whole authentication process is not started again, but 
authentication is based on the session cookie.

HTH


Kind regards,
Helmut

-- 
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 CMS Active Contributor, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the TYPO3-english mailing list