[TYPO3-core] Gremlin #1573: Admin user is logged out on testingbeuser settings

Sebastian Kurfuerst sebastian at garbage-group.de
Sun Nov 6 21:52:13 CET 2005

Hi Masi,
> To protect it even more a checkbox in the user module could be placed.
> So that the switch-back feature must be anabled manually.
I don't think this is needed... See below. If all new features will have
to be activated this is quite impractical for the user...

> Can the feature be a point of an attack? Yes, if a non-admin TYPO3
> user or any DB-user directly somehow manages to manipulate the session
> table. 
Well, if the user can manipulate the sessions table he can simply set
ses_userid and reload the backend. This is even easier than using the
switchback feature... Thus I think the risk of attack is not increased.


Sebastian Kurfuerst

More information about the TYPO3-team-core mailing list