[TYPO3-core] RFC #0013938: Backend session is locked to useragent
Björn Pedersen
pedersen at frm2.tum.de
Fri Sep 3 11:49:15 CEST 2010
Am 03.09.2010 11:01, schrieb Markus Klein:
>>
>> Am 03.09.2010 09:40, schrieb Bjoern Pedersen:
>>> Am 03.09.2010 00:26, schrieb Marcus Krause:
>>>> Hi!
>>>>
>>>> Markus Klein schrieb am 09/02/2010 11:35 PM Uhr:
>>>>> Ok you're right!
>>>>> Nevertheless I suggest to introduce this additional option for BE,
>>>>> so one can decide wether to change this only for FE or also for BE.
>>>>> Therefore i moved this configuration into class beUserAuth.
>>>>>
>>>>> So please have a look at patch v4.
>>>>
>>>> Much better. However, there's a further possibility:
>>>> I searched for an option that allows separate configuration for FE an
>>>> BE. Such option is *lockIP*.
>>>>
>>>> For BE *the one and only place* where *lockIP* is set based on the
>>>> configuration is after the instanciation of "t3lib_beUserAuth" in
>>>> typo3/init.php around line 425.
>>>>
>>>> I'd let core devs decide what they believe is appropriate.
>>>>
>>>> Marcus.
>>>
>>> That's also what my initial patch did: Introduce separate
>>> TYPO3CONFVars for FE and BE. Setting it in the base class still allows
>>> for the differentiation.
>> Answering to myself: It seems, also BEuser->lockIP is set too often. I
> will try
>> to create a new patch today where everthing is moved to typo3confvars and
>> t3lib-userauth.php.
>
> How do you intend to do that? I think it's not a good way to check specific
> things a base class, which are subject to the specialized classes.
> So no references to $GLOBALS['TYPO3_CONF_VARS']['BE'] in class
> t3lib_userAuth.
> (I know that there's already some code that uses BE settings, but we
> shouldn't make it worse.)
>
> Regards
> Markus
>
>
No it will be kept generic, the checks can be based on login_type.
// session IP lock, defaults are strict and set above
if ($TYPO3_CONF_VARS[$this->loginType]['lockIP']) {
$this->lockIP=$TYPO3_CONF_VARS[$this->loginType]['lockIP'];
}
// session hashKey lock, currently only the Useragent can be used.
if ($TYPO3_CONF_VARS[$this->loginType]['lockHashKeyWords']) {
$this->lockHashKeyWords=$TYPO3_CONF_VARS[$this->loginType]
['lockHashKeyWords'];
}
The complete patch is v5.
Advantages: Just one central place to check and set the options. Avoids
the risk, that a be/fe_user instance is created manually and the
lockIP/lockHashKeyWords are not set. Currently a
makeInstance(beuser/feuser) is not enough. You have to remember to set
all the options as it is done e.g. in tslib_fe.
Björn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0013938_v5.patch
Type: text/x-patch
Size: 7923 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100903/48b4f85f/attachment-0001.bin>
More information about the TYPO3-team-core
mailing list