[TYPO3-core] RFC #10205: DB session record is only created when user is authenticated
Steffen Kamper
info at sk-typo3.de
Sat Jan 24 02:10:20 CET 2009
Hi Michael,
Michael Stucki schrieb:
> Oh well... What a mess!
>
> After verifying the patch on a clients site, I can confirm that it
> works, however there are still more problems to be resolved.
>
> The extension "commerce" does for some reason use its own session
> database, meaning there is no content in fe_session, no content in
> fe_session_data, but there is content in tx_commerce_baskets!
>
> Now the question is, how should we treat that situation:
>
> a) Ignore but warn users of that extension
> b) Add a fix for commerce to the core - see attached patch
> c) Add a configuration flag that disables the session fixation fix (so
> that the user gets more time to wait for a fix from the commerce
> developers).
>
> Attached is a post patch that implements a check for the commerce
> extension. However, what if there are more such extensions playing their
> own game?
>
> What do you propose?
>
in general i would say that extensions which play their own game has to
fix it by their own. It's the core that offers methods and their support.
I don't agree to implement special extension support in core.
For commerce it's the best to contact Ingo Schmitt (i can do this) to
inform him about the problem, showing him this patch as instruction how
to fix in commerce, so he can do a hotfix for commerce.
vg Steffen
More information about the TYPO3-team-core
mailing list