[TYPO3-core] RFC #0013938: Backend session is locked to useragent
Helmut Hummel
helmut.hummel at typo3.org
Tue Jan 18 20:29:27 CET 2011
Hi,
On 03.09.10 23:14, Helmut Hummel wrote:
> On 03.09.10 21:00, Helmut Hummel wrote:
>
>> Additionally I moved the setting of lockHashKeyWords a bit down because
>> it was inbetween session id retrieving/ generation.
We should get this into 4.5.
How to test:
1. apply patch (obvious)
2. set $TYPO3_CONF_VARS['BE']['lockHashKeyWords'] = ''; in localconf.php
3. log into the backend
4. change your user agent e.g. with:
https://addons.mozilla.org/de/firefox/addon/user-agent-switcher/
5. confirm that you will not be loged out after the next request, like
it is the case without patch
Thanks.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list