[TYPO3-core] RFC #10205: DB session record is only created when user is authenticated
Ingmar Schlecht
ingmar at typo3.org
Fri Jan 23 22:50:45 CET 2009
+1, looks all fine.
cheers
Ingmar
Michael Stucki schrieb:
> This is a SVN patch request.
>
> Priority: urgent!!
>
> Type: bugfix
>
> Branches:
> - TYPO3_4-0
> - TYPO3_4-1
> - TYPO3_4-2
> - Trunk
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=10205
>
> Problem:
>> Functions $GLOBALS["TSFE"]->fe_user->getKey() or
>> $GLOBALS["TSFE"]->fe_user->setKey() allow to bind data to a user's
>> session. Unfortunately TYPO3 only creates DB session records in
>> tables be_sessions/fe_sessions if a user authenticates.
>>
>> Before applying the session fixation fix, TYPO3 always trusted the
>> session id provided by the user through COOKIE etc. Although no DB
>> session records were created, setKey() and getKey() worked in a way
>> that a record in fe_session_data was created (including session id)
>> and could be accessed.
>>
>>
>> Now, after the session fixation fix, TYPO3 will issue a new session
>> id if there's no according db record in be_sessions/fe_sessions. This
>> now has the drawback that every request of a non-authenticated user
>> will force TYPO3 to issue a new session id so that getKey() no longer
>> works as existing records in fe_session_data are associated to an
>> "old" session identifier.
>>
>>
>> I believe that the security fix is not the cause of the problem but
>> the trigger for it. I expect TYPO3 to create a DB session record
>> whenever a session id is generated not only when a user authenticates
>> itself.
>
> Solution:
> The solution is to check in the "fe_session_data" if the first test
> didn't succeed. This happens at the cost of an additional DB query,
> however I see no way to work around this without making bigger changes.
>
> - michael
>
--
Ingmar Schlecht
TYPO3 Core Developer
More information about the TYPO3-team-core
mailing list