[TYPO3-core] RFC #9683: Store OpenID information in database instead of using the filesystem

Dmitry Dulepov dmitry.dulepov at gmail.com
Thu Nov 26 10:37:40 CET 2009


Hello!

This is SVN patch request.

Branches: 4.3.1, 4.4

Type: feature, security

Problem:
OpenID requires a storage where to put intermediate OpenID data (such as associations and nonces). Currently this is stored in the file system. It has certain risks such as collisions and guessing of file names with further secret retrieval by an attacker. Risks are small because OpenID library generates ransom names but they exist.

Solution:
Provide a database storage for the OpenID.

Notes:
- this patch also increases extension version to 1.0.0
- there will be no more typo3temp/tx_openid
- there is a safety precaution against a session usage on the edge of the time interval. This issue causes "Login timeout" from TYPO3 when the association expires in the middle of the authentication

-- 
Dmitry Dulepov
"Trust me, I am a doctor!" (c) Gregory House, M.D.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9683_v2.diff
Type: text/x-diff
Size: 15838 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20091126/d26377b0/attachment.diff>


More information about the TYPO3-team-core mailing list