[TYPO3-core] RFC #9683: Store OpenID information in database instead of using the filesystem

[Oliver Hader]

Hi Dmitry,

Dmitry Dulepov schrieb:
> Hello!
> 
> This is SVN patch request.
> 
> Branches: 4.3.1, 4.4
> 
> Type: feature, security
> 
> Problem:
> OpenID requires a storage where to put intermediate OpenID data (such as
> associations and nonces). Currently this is stored in the file system.
> It has certain risks such as collisions and guessing of file names with
> further secret retrieval by an attacker. Risks are small because OpenID
> library generates ransom names but they exist.
> 
> Solution:
> Provide a database storage for the OpenID.
> 
> Notes:
> - this patch also increases extension version to 1.0.0
> - there will be no more typo3temp/tx_openid
> - there is a safety precaution against a session usage on the edge of
> the time interval. This issue causes "Login timeout" from TYPO3 when the
> association expires in the middle of the authentication

Some small remarks (one already mentioned):
* please remove the changed comma (,) at the end of the modified SQL
definitions in the user tables
* there's a new method reset() in the store class - however, I could not
find a place in tx_openid where this would be called

Besides that:
+1 by reading and testing

Can you please commit this change to SVN Trunk to have it available for
the final release of TYPO3 4.3? Thanks!

olly
-- 
Oliver Hader
TYPO3 Release Manager 4.3