[TYPO3-core] RFC: #17289: Form protection tokens get lost because of a race condition when persisting tokens
Marcus Schwemer
typo3 at schwemer.de
Tue Jan 25 14:09:23 CET 2011
Hi,
may I point you to another issue in this thread, because I think it's
also related to the CSRF protection:
I am not able to set a new install tool password any more.
I filed a new bug report on mantis:
http://bugs.typo3.org/bug_view_advanced_page.php?bug_id=17299
Thanks for your hard work!
Kind regards,
Marcus
Helmut Hummel schrieb am 25.01.11 10:44:
> This is an SVN patch request.
>
> Type: Bugfix
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=17289
>
> Branches:
> Trunk
>
> Problem:
> If two (or more) scripts are executed (almost) at the same time, both
> scripts retrieve the same token array from the session. Both scripts
> will create new tokens independently. The script that is executed last
> will then overwrite the tokens generated by the first script.
>
> Solution:
> Before writing all tokens back to the session we need to retrieve the
> current tokens from the session again and lock this for one process only.
>
> How to test:
> * Apply the test patch
> * Reload the backend
> * Go to file list module and wait until both frames loaded
> * hover over the help icon in navigation frame
>
> Note: I added a sleep call in the test patch to force the problem, so do
> not wonder that the nav-frame is loading slower ;)
>
> Kind regards,
> Helmut
>
More information about the TYPO3-team-core
mailing list