[TYPO3-core] RFC #10205: DB session record is only created when user is authenticated
Marcus Krause
marcus#exp2009 at t3sec.info
Sat Jan 24 02:49:04 CET 2009
Michael Stucki schrieb am 24.01.2009 01:54 Uhr:
> Oh well... What a mess!
>
> After verifying the patch on a clients site, I can confirm that it
> works, however there are still more problems to be resolved.
>
> The extension "commerce" does for some reason use its own session
> database, meaning there is no content in fe_session, no content in
> fe_session_data, but there is content in tx_commerce_baskets!
>
> Now the question is, how should we treat that situation:
>
> a) Ignore but warn users of that extension
> b) Add a fix for commerce to the core - see attached patch
> c) Add a configuration flag that disables the session fixation fix (so
> that the user gets more time to wait for a fix from the commerce
> developers).
Im sorry Michael for getting on your nerves, but there is
d) Do it the consistent way; keep track of issued session ids.
(meaning save all sid in be_/fe_sessions)
More information about the TYPO3-team-core
mailing list