[TYPO3-core] Gremlin #381: "Page is beinggenerated" should belocalized

Kasper Skårhøj kasper2005 at typo3.com
Mon Dec 19 15:20:35 CET 2005 

He has a new job now. This is his original mail:


> Vi har nogle Cookie-relaterede problemer. Vores caching system cacher alt
> det, som den må iht RFC'erne. En af de ting, som den må cache er
> Set-Cookie-headeren.
> 
> Det giver problemer:
> 
>   Hvis bruger A uden cookie går ind på den ikke-cachede side A1, så bliver
> der genereret en Set-Cookie til A og denne cookie bliver cachet for siden
> A1.
>   Hvis bruger B nu kommer ind uden cookie går ind på A1, så får han den
> cachede Set-Cookie, nemlig A's cookie.
> 
> Dette betyder, at vi ikke kan forvente at vore frontend-brugere har unikke
> fe_typo3_user-cookies.
> 
> Vores abonnementtilmelding bruger en Typo3-feature (fe_user_sessions), som
> antager, at fe_typo3_user er unik, og dette er ikke korrekt med caching.
> Derfor risikerer vi, at A tilmelder sig. Når B så kommer ind, ser han A's
> abonnementoplysninger.
> 
> Løsningen må være, at Typo3 sender andre caching-headers, hvis der sendes en
> Set-Cookie.
> Vi har fundet flere muligheder:
> * Den indlysende: Pragma: private
> * Den snedige: Cache-control: no-cache="Set-Cookie"

Translated:

We have some cookie-related problems. Our caching system caches everything 
according to RFC, including set-cookie-header!

This gives problems

If user A without cookie enteres a non-cache page A1, then A receives a cookie 
and this cookie is cached for the page A1

If user B without cookie enters page A1, then he gets the cache cookie which 
was delivered to user A

This means we cannot expect frontend users to have unique cookies, meaning 
that new frontend users will take over other frontend users sessions!!....

Solution must be that TYPO3 sends other caching headers like 

Pragma: Private.





So, as you see, this is kind of security related and I think we should not 
change this except if we really know what we are doing! It might open 
critical security holes right on typo3.org where we use caching and at the 
same time uses logins!!!


- kasper






On Monday 19 December 2005 15:11, Martin Kutschker wrote:
> Kasper Skårhøj <kasper2005 at typo3.com> writes on
>
> Mon, 19 Dec 2005 14:46:19 +0100 (MET):
> > > Just a thought on the issue of the HTTP headers. Why do we send
> > > "Cache-Control: private"? This is allowing private caching, ie in a
> > > browser cache.
> >
> > Ole Tange at forbrug.dk asked me to change this - look in changelog of
> > file to see what it was before. He had some reason to.
>
> I found his name in the comment, but no further explanation. I'll see if I
> can reach him for comment.
>
> Masi
> _______________________________________________
> Typo3-team-core mailing list
> Typo3-team-core at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-team-core

-- 
- kasper

-----------------
"A 'please' would be nice", John Travolta, Pulp Fiction

More information about the TYPO3-team-core mailing list