[TYPO3-core] RFC #13470: Session/Login not working in IE8 across subdomains

Ernesto Baschny [cron IT] ernst at cron-it.de
Fri Feb 12 10:22:44 CET 2010 

This is an SVN patch request.

Type: Bugfix

Bugtracker references:
http://bugs.typo3.org/view.php?id=13470

Branches:
trunk, TYPO3_4-2 and TYPO3_4-1

Problem:
Session information is lost when the user first accesses a site with a
"domain" (e.g. domain.com) and later switches to a "subdomain" (e.g.
www.domain.com). This only happens with IE8 (and potentially IE7, I
cannot test).


How to reproduce:
1) Choose a site with login where the domain shares the login with the
subdomain.
2) Visit once "domain.com" (without the subdomain)
3) Change to "www.domain.com"
4) Login with IE8
5) Click on another page: You are not logged in anymore


This problem is related to:

a) the "fe-session fixation" fix which changes the session ID whenever
there is no session data stored yet. This was introduced in 4.2.4 (and
also 4.3.0) so the problem probably does not appear on previous TYPO3
versions. [1]

b) an IE8 "bug" (or feature?) which is reproduceable.


Why it happens:

1) The trouble begins if you visit the site without "www.". TYPO3 will
generate a fe_typo3_user=AAA cookie and send it to the IE8 (Set-Cookie).

2) Then you switch to the "www." version (or the "support." variant).
Because the user is not logged in yet, there is no session data, so
TYPO3 will generate a new fe_typo3_user=BBB cookie for that request also.

Now the IE8 bug comes in. On every further request, it will send both
cookies back to the server:

   Cookie: fe_typo_user=AAA; fe_typo_user=BBB

PHP will use the first one: $_COOKIE['fe_typo_user'] = "AAA".

3) user then "logs in". TYPO3 will store the information in the "BBB"
session. For "this hit" the user is logged in.

4) On next request (user clicks somewhere else), PHP again passes the
"AAA" cookie to TYPO3 (session where the user hasn't logged in) so TYPO3
thinks it is not logged in (and will also generate a new session id).


This seems only to happen for cookies set for a host that is shorter
(e.g. "domain.XXX") and later you switch to a more specific host (e.g.
"www.domain.XXX").

The IE8 bug doesn't depend if you send or not a "domain=" specifier with
your cookie, meaning that the TYPO3 setting "cookieDomain" doesn't make
the trouble disappear.


Solution:

The solution makes TYPO3 analyse the full $_SERVER['HTTP_COOKIE']
variable instead of relying on $_COOKIE only.



Cheers,
Ernesto

[1]
http://forge.typo3.org/repositories/diff/typo3v4-core/branches/TYPO3_4-2/t3lib/class.t3lib_userauth.php?rev=4784
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13470_v2-trunk.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100212/213e2bb4/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13470_v2-4_1.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100212/213e2bb4/attachment.asc>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13470_v2-4_2.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100212/213e2bb4/attachment-0001.txt>

More information about the TYPO3-team-core mailing list