[TYPO3-core] RFC #15334: Feature: Allow separate cookie domain for FE and BE
Ernesto Baschny [cron IT]
ernst at cron-it.de
Wed Aug 4 09:46:25 CEST 2010
Hi Francois,
you can have a regexp as a cookie-domain, isn't that enough to define
several valid cookie domains?
$TYPO3_CONF_VARS['SYS']['cookieDomain'] = '/^(domainFE|domainBE)$/';
If the user accesses through one of the matched domains, it is set as
the cookie domain for his session.
Cheers,
Ernesto
François Suter schrieb am 03.08.2010 13:47:
> This is an SVN patch request.
>
> Type: New feature
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=15334
>
> Branches:
> Trunk
>
> Problem:
> Some clients run the TYPO3 BE under a different domain name for security
> reasons. This causes problems with cookie domains as it is currently
> possible to set a single one only, used by both FE and BE. The current
> workaround would be to avoid defining a cookie domain, but this is not
> secure.
>
> Solution:
> The attached patch introduces a separate cookie domain for the BE. If it
> is left blank, the "main" cookie domain is used for both FE and BE (i.e.
> the current behavior is unchanged).
>
> Notes:
> How to test:
> 1) make sure your web site has a domain defined in
> $TYPO3_CONF_VARS['SYS']['cookieDomain'] (if it's blank, you can use any
> domain anyway)
> 2) define a ServerAlias with some other domain for the web site
> 3) use that alias to access the TYPO3 BE => it won't work, you get
> logged out every time, because the domain used to access the BE must
> match the domain in $TYPO3_CONF_VARS['SYS']['cookieDomain'].
> 4) apply the patch, go to the install tool and use the new domain in the
> new property $TYPO3_CONF_VARS['SYS']['cookieDomainBE']
> 5) log into the BE via the new domain => it should work now.
>
> Cheers
>
More information about the TYPO3-team-core
mailing list