[TYPO3-core] RFC #0013938: Backend session is locked to useragent

Helmut Hummel helmut.hummel at typo3.org
Tue Jan 18 20:29:27 CET 2011


Hi,

On 03.09.10 23:14, Helmut Hummel wrote:

> On 03.09.10 21:00, Helmut Hummel wrote:
> 
>> Additionally I moved the setting of lockHashKeyWords a bit down because
>> it was inbetween session id retrieving/ generation.

We should get this into 4.5.

How to test:

1. apply patch (obvious)
2. set $TYPO3_CONF_VARS['BE']['lockHashKeyWords'] = ''; in localconf.php
3. log into the backend
4. change your user agent e.g. with:
   https://addons.mozilla.org/de/firefox/addon/user-agent-switcher/
5. confirm that you will not be loged out after the next request, like
   it is the case without patch

Thanks.

Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org


More information about the TYPO3-team-core mailing list