[TYPO3-core] RFC #13470: Session/Login not working in IE8 across subdomains

Ernesto Baschny [cron IT] ernst at cron-it.de
Wed Feb 24 20:47:11 CET 2010


Hi,

commited to:

- trunk (rev. 7027), will be in 4.4alpha2
- TYPO3-4_3 (rev. 7028), will be in 4.3.3
- TYPO3-4_2 (rev. 7029), will be in 4.2.13
- TYPO3-4_1 (rev. 7030), will be (maybe) in 4.1.14.

Cheers,
Ernesto

Ernesto Baschny [cron IT] schrieb am 12.02.2010 10:22:
> This is an SVN patch request.
> 
> Type: Bugfix
> 
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=13470
> 
> Branches:
> trunk, TYPO3_4-2 and TYPO3_4-1
> 
> Problem:
> Session information is lost when the user first accesses a site with a
> "domain" (e.g. domain.com) and later switches to a "subdomain" (e.g.
> www.domain.com). This only happens with IE8 (and potentially IE7, I
> cannot test).
> 
> 
> How to reproduce:
> 1) Choose a site with login where the domain shares the login with the
> subdomain.
> 2) Visit once "domain.com" (without the subdomain)
> 3) Change to "www.domain.com"
> 4) Login with IE8
> 5) Click on another page: You are not logged in anymore
> 
> 
> This problem is related to:
> 
> a) the "fe-session fixation" fix which changes the session ID whenever
> there is no session data stored yet. This was introduced in 4.2.4 (and
> also 4.3.0) so the problem probably does not appear on previous TYPO3
> versions. [1]
> 
> b) an IE8 "bug" (or feature?) which is reproduceable.
> 
> 
> Why it happens:
> 
> 1) The trouble begins if you visit the site without "www.". TYPO3 will
> generate a fe_typo3_user=AAA cookie and send it to the IE8 (Set-Cookie).
> 
> 2) Then you switch to the "www." version (or the "support." variant).
> Because the user is not logged in yet, there is no session data, so
> TYPO3 will generate a new fe_typo3_user=BBB cookie for that request also.
> 
> Now the IE8 bug comes in. On every further request, it will send both
> cookies back to the server:
> 
>    Cookie: fe_typo_user=AAA; fe_typo_user=BBB
> 
> PHP will use the first one: $_COOKIE['fe_typo_user'] = "AAA".
> 
> 3) user then "logs in". TYPO3 will store the information in the "BBB"
> session. For "this hit" the user is logged in.
> 
> 4) On next request (user clicks somewhere else), PHP again passes the
> "AAA" cookie to TYPO3 (session where the user hasn't logged in) so TYPO3
> thinks it is not logged in (and will also generate a new session id).
> 
> 
> This seems only to happen for cookies set for a host that is shorter
> (e.g. "domain.XXX") and later you switch to a more specific host (e.g.
> "www.domain.XXX").
> 
> The IE8 bug doesn't depend if you send or not a "domain=" specifier with
> your cookie, meaning that the TYPO3 setting "cookieDomain" doesn't make
> the trouble disappear.
> 
> 
> Solution:
> 
> The solution makes TYPO3 analyse the full $_SERVER['HTTP_COOKIE']
> variable instead of relying on $_COOKIE only.
> 
> 
> 
> Cheers,
> Ernesto
> 
> [1]
> http://forge.typo3.org/repositories/diff/typo3v4-core/branches/TYPO3_4-2/t3lib/class.t3lib_userauth.php?rev=4784
> 


More information about the TYPO3-team-core mailing list