[TYPO3-core] RFC: 11089 Fixing the built-in shopping basket

Helmut Hummel helmut at typo3.org
Mon Jan 18 00:39:24 CET 2010


Hi Benni,

Am 17.01.10 19:08, schrieb Benjamin Mack:
> 
> 1) I always get a new session ID in the FE when not logged in, very
> weird. There is still an issue with the Session.

Right.

That's because the session id of a frontend will only be stored in
fe_sessions, if a user is logged in.

To avoid session fixation TYPO3 must issue a new session id if it is not
sure that the transmitted id comes from the system (is in database).

A workaround was introduced for having the possibility of
unauthenticated user sessions: It is checked if data is stored in
fe_session_data for the found session id. If this is the case, the
session id is accepted valid.

This means, that as long as no session data is stored in a session, a
new session id is issued.

That's why $this->id (the session id TYPO3 generated) can never match
$this->cookieId (the session id transmitted by the client). And because
of this check no data can ever be stored in fe_session_data, resulting
in changing session id ...

> 2) My maxSizeofSessionData is 100K by default, thus it's always > 0, and
> then the shopping basket does not work at all.

Of course. Stupid me. The check should be removed completely as you
suggested. But now I'm also fine with Mattes Patch, as it gives a
minimum benefit.

So here (again) my +1 for the first patch of Mattes

It would of course also be nice to rework the session handling, but this
should go in another RFC ;)

Helmut


More information about the TYPO3-team-core mailing list