Index: t3lib/class.t3lib_beuserauth.php =================================================================== --- t3lib/class.t3lib_beuserauth.php (Revision 8773) +++ t3lib/class.t3lib_beuserauth.php (Arbeitskopie) @@ -371,7 +371,7 @@ * @return string */ function veriCode() { - return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10); + return substr(md5($this->getIdHash . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10); } @@ -393,7 +393,7 @@ $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', $this->session_table.','.$this->user_table, - $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).' + 'MD5(' . $this->session_table.'.ses_id) = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->getIdHash(), $this->session_table).' AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).' AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.' '.$this->ipLockClause().' Index: t3lib/class.t3lib_userauth.php =================================================================== --- t3lib/class.t3lib_userauth.php (Revision 8773) +++ t3lib/class.t3lib_userauth.php (Arbeitskopie) @@ -157,6 +157,7 @@ // Internals var $id; // Internal: Will contain session_id (MD5-hash) + protected $idHash; // Internal: MD5 hash of the session id, used in combination with veriCode (vC) var $cookieId; // Internal: Will contain the session_id gotten from cookie or GET method. This is used in statistics as a reliable cookie (one which is known to come from $_COOKIE). var $loginFailure = FALSE; // Indicates if an authentication was started but failed var $loginSessionStarted = FALSE; // Will be set to true if the login session is actually written during auth-check. @@ -769,6 +770,11 @@ $dbres = $this->fetchUserSessionFromDB(); if ($dbres && $user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) { + // Set session id if not set (authorized by idHash and veriCode): + if (!$this->id) { + $this->id = $user['ses_id']; + } + // A user was found if (is_string($this->auth_timeout_field)) { $timeout = intval($user[$this->auth_timeout_field]); // Get timeout-time from usertable @@ -944,6 +950,20 @@ } /** + * Gets the current idHash. + * + * @return string + */ + public function getIdHash() { + if (!isset($this->idHash)) { + $idHash = t3lib_div::_GP('idHash'); + $this->idHash = ($idHash ? $idHash : md5($this->id)); + } + + return $this->idHash; + } + + /** * This returns the where-clause needed to lock a user to a hash integer * * @return string Index: typo3/js/flashupload.js =================================================================== --- typo3/js/flashupload.js (Revision 8773) +++ typo3/js/flashupload.js (Arbeitskopie) @@ -280,6 +280,7 @@ swfConfig.post_params = Ext.value(this.uploadPostParams, this.swfDefaultConfig.post_params); // add the veriCode from the backend.php to verify the session with the flash client swfConfig.post_params.vC = top.TS.veriCode; + swfConfig.post_params.idHash = top.TS.idHash; swfConfig.file_types_description = Ext.value(this.uploadFileTypesDescription, this.swfDefaultConfig.file_types_description); this.setFileTypeRestrictions(this.uploadFileTypes); return swfConfig; Index: typo3/backend.php =================================================================== --- typo3/backend.php (Revision 8773) +++ typo3/backend.php (Arbeitskopie) @@ -361,6 +361,7 @@ 'condensedMode' => $GLOBALS['BE_USER']->uc['condensedMode'] ? 1 : 0 , 'workspaceFrontendPreviewEnabled' => $GLOBALS['BE_USER']->workspace != 0 && !$GLOBALS['BE_USER']->user['workspace_preview'] ? 0 : 1, 'veriCode' => $GLOBALS['BE_USER']->veriCode(), + 'idHash' => $GLOBALS['BE_USER']->getIdHash(), 'denyFileTypes' => PHP_EXTENSIONS_DEFAULT, 'showRefreshLoginPopup' => isset($GLOBALS['TYPO3_CONF_VARS']['BE']['showRefreshLoginPopup']) ? intval($GLOBALS['TYPO3_CONF_VARS']['BE']['showRefreshLoginPopup']) : FALSE, ); @@ -442,6 +443,7 @@ this.navFrameWidth = 0; this.securityLevel = TYPO3.configuration.securityLevel; this.veriCode = TYPO3.configuration.veriCode; + this.idHash = TYPO3.configuration.idHash; this.denyFileTypes = TYPO3.configuration.denyFileTypes; } var TS = new typoSetup();