[TYPO3-core] Gremlin #1573: Admin user is logged out on testingbeuser settings

Bernhard Kraft kraftb at kraftb.at
Mon Nov 14 01:51:13 CET 2005

Hash: SHA1

Sebastian Kurfuerst wrote:
> Hi Masi,
>>To protect it even more a checkbox in the user module could be placed.
>>So that the switch-back feature must be anabled manually.
> I don't think this is needed... See below. If all new features will have
> o be activated this is quite impractical for the user...

Well ... I am not uninterested in changed ... but they should always be
"backwards compatible" ... it is more a kind of usability issue.

Normally if you press the "Logout" button in ANY application you are logged
out and you will not have to care about any further things ... It would be
a bad thing to have to click on the logout button twice !

So in my opinion it would be the best thing to add a "Switch back" Button below
or above the Logout button when "ses_backuserid" is set. By pressing this button
the sued user can switch back to the user which was logged in at the beginning.

I don't think modifying the look of the logout button is sufficient
All after all it is a different thing to "Switch back" and "Logout"

> Well, if the user can manipulate the sessions table he can simply set
> ses_userid and reload the backend. This is even easier than using the
> switchback feature... Thus I think the risk of attack is not increased.

If somebody has access to the database tables he can create his own admin.
Such issues must not be addressed I guess. It should only be checked that
no holes get opened which allow access to the DB.

- --
- ----------------------------------------------------------------------
"Freiheit ist immer auch die Freiheit des Andersdenkenden"
Rosa Luxemburg, 1871 - 1919
- ----------------------------------------------------------------------
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the TYPO3-team-core mailing list