[TYPO3-core] RFC #10205: DB session record is only created when user is authenticated
Michael Stucki
michael at typo3.org
Fri Jan 23 22:35:03 CET 2009
This is a SVN patch request.
Priority: urgent!!
Type: bugfix
Branches:
- TYPO3_4-0
- TYPO3_4-1
- TYPO3_4-2
- Trunk
Bugtracker references:
http://bugs.typo3.org/view.php?id=10205
Problem:
> Functions $GLOBALS["TSFE"]->fe_user->getKey() or
> $GLOBALS["TSFE"]->fe_user->setKey() allow to bind data to a user's
> session. Unfortunately TYPO3 only creates DB session records in
> tables be_sessions/fe_sessions if a user authenticates.
>
> Before applying the session fixation fix, TYPO3 always trusted the
> session id provided by the user through COOKIE etc. Although no DB
> session records were created, setKey() and getKey() worked in a way
> that a record in fe_session_data was created (including session id)
> and could be accessed.
>
>
> Now, after the session fixation fix, TYPO3 will issue a new session
> id if there's no according db record in be_sessions/fe_sessions. This
> now has the drawback that every request of a non-authenticated user
> will force TYPO3 to issue a new session id so that getKey() no longer
> works as existing records in fe_session_data are associated to an
> "old" session identifier.
>
>
> I believe that the security fix is not the cause of the problem but
> the trigger for it. I expect TYPO3 to create a DB session record
> whenever a session id is generated not only when a user authenticates
> itself.
Solution:
The solution is to check in the "fe_session_data" if the first test
didn't succeed. This happens at the cost of an additional DB query,
however I see no way to work around this without making bigger changes.
- michael
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bug_10205_v4.diff
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20090123/cf64ca8d/attachment.txt
More information about the TYPO3-team-core
mailing list