[TYPO3-core] RFC #10205: DB session record is only created when user is authenticated
Marcus Krause
marcus#exp2009 at t3sec.info
Sat Jan 24 11:05:29 CET 2009
Martin Kutschker schrieb am 24.01.2009 10:17 Uhr:
> Marcus Krause schrieb:
>>> Now the question is, how should we treat that situation:
>>>
>>> a) Ignore but warn users of that extension
>>> b) Add a fix for commerce to the core - see attached patch
>>> c) Add a configuration flag that disables the session fixation fix (so
>>> that the user gets more time to wait for a fix from the commerce
>>> developers).
>> Im sorry Michael for getting on your nerves, but there is
>>
>> d) Do it the consistent way; keep track of issued session ids.
>> (meaning save all sid in be_/fe_sessions)
>
> I'm confused. What happens now?
>
> I always thought that generating SIDs but not storing them is stupid. Is
> this changed now?
No, this hasn't changed and will not change with this patch. Only
session ids of authenticated users are written to be/fe_sessions table.
Due to this, sids change during an user's requests and in our case
commerce isn't able to keep a relationship between a user and its basket.
Marcus.
More information about the TYPO3-team-core
mailing list