[TYPO3-core] RFC #9683: Store OpenID information in database instead of using the filesystem
Steffen Ritter
info at rs-websystems.de
Thu Nov 26 20:11:29 CET 2009
Dmitry Dulepov schrieb:
> Hello!
>
> This is SVN patch request.
>
> Branches: 4.3.1, 4.4
>
> Type: feature, security
>
> Problem:
> OpenID requires a storage where to put intermediate OpenID data (such as
> associations and nonces). Currently this is stored in the file system.
> It has certain risks such as collisions and guessing of file names with
> further secret retrieval by an attacker. Risks are small because OpenID
> library generates ransom names but they exist.
>
> Solution:
> Provide a database storage for the OpenID.
>
> Notes:
> - this patch also increases extension version to 1.0.0
> - there will be no more typo3temp/tx_openid
> - there is a safety precaution against a session usage on the edge of
> the time interval. This issue causes "Login timeout" from TYPO3 when the
> association expires in the middle of the authentication
>
I personally do not use OpenId so I'm not able to test. But I'be read
enough "does not work" from people who say it does not work, I vote for
dropping this one an searching for another solution.
If it does not work for them out of the box, it won't for the "DAU"
either ...
regards
Steffen
More information about the TYPO3-team-core
mailing list