[TYPO3-core] RFC: #17383: Open forms cannot be saved after "Relogin" (Security Token errors)
Helmut Hummel
helmut.hummel at typo3.org
Sun Jan 30 20:13:51 CET 2011
Hi Steffen,
On 30.01.11 18:02, Steffen Kamper wrote:
> i had the same in mind (DOM-query) but would be more general. Tokens can
> be in
> * links (href)
> * links (onclick)
> * form action
>
> Areas to search:
> * top
> * navigation panel (if iframe only)
> * content panel
>
> I check this and will come with a more general query method if you agree.
Not all tokens are equivalent, a token for a alt_doc cannot be used for
a tce action and vice versa. Additionally it is not possible to "know"
on PHP side what frames with which tokens are rendered. So it's a bit
trickier than it seems.
The only way would be to collect (and identify the type of) all "old"
tokens on the client side, hand them over to an ajax action which is
also only executable with an appropriate token, which is generated
during relogin. Not easy but still doable, I'll give it a try.
Would it fit, if I'd put such a method in the ajaxlogin class?
> Then i'm a bit irretate about to different RFCs about that. If this is
> the new and replace the old, could you "drop" the other one?
I wrote in the other RFC, that it can be dropped in favour of this one.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list