Index: t3lib/class.t3lib_userauth.php =================================================================== --- t3lib/class.t3lib_userauth.php (Revision 8773) +++ t3lib/class.t3lib_userauth.php (Arbeitskopie) @@ -157,6 +157,7 @@ // Internals var $id; // Internal: Will contain session_id (MD5-hash) + protected $idHash; // Internal: MD5 hash of the session id, used in combination with veriCode (vC) var $cookieId; // Internal: Will contain the session_id gotten from cookie or GET method. This is used in statistics as a reliable cookie (one which is known to come from $_COOKIE). var $loginFailure = FALSE; // Indicates if an authentication was started but failed var $loginSessionStarted = FALSE; // Will be set to true if the login session is actually written during auth-check. @@ -787,6 +788,10 @@ } if ($statement && $user) { + if (!$this->id) { + $this->id = $user['ses_id']; + } + // A user was found if (is_string($this->auth_timeout_field)) { $timeout = intval($user[$this->auth_timeout_field]); // Get timeout-time from usertable @@ -912,7 +917,7 @@ $statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery( '*', $this->session_table . ',' . $this->user_table, - $this->session_table . '.ses_id = :ses_id + 'MD5(' . $this->session_table . '.ses_id) = :idhash AND ' . $this->session_table . '.ses_name = :ses_name AND ' . $this->session_table . '.ses_userid = ' . $this->user_table . '.' . $this->userid_column . ' ' . $ipLockClause['where'] . ' @@ -921,6 +926,7 @@ $statement->bindValues(array( ':ses_id' => $this->id, ':ses_name' => $this->name, + ':idhash' => $this->getIdHash(), )); $statement->bindValues($ipLockClause['parameters']); } @@ -1012,10 +1018,24 @@ * @return string */ public function veriCode() { - return substr(md5($this->id . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10); + return substr(md5($this->getIdHash() . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10); } /** + * Gets the current idHash. + * + * @return string + */ + public function getIdHash() { + if (!isset($this->idHash)) { + $idHash = t3lib_div::_GP('idHash'); + $this->idHash = ($idHash ? $idHash : md5($this->id)); + } + + return $this->idHash; + } + + /** * This returns the where-clause needed to lock a user to a hash integer * * @return string Index: typo3/js/flashupload.js =================================================================== --- typo3/js/flashupload.js (Revision 8773) +++ typo3/js/flashupload.js (Arbeitskopie) @@ -280,6 +280,7 @@ swfConfig.post_params = Ext.value(this.uploadPostParams, this.swfDefaultConfig.post_params); // add the veriCode from the backend.php to verify the session with the flash client swfConfig.post_params.vC = top.TS.veriCode; + swfConfig.post_params.idHash = top.TS.idHash; swfConfig.file_types_description = Ext.value(this.uploadFileTypesDescription, this.swfDefaultConfig.file_types_description); this.setFileTypeRestrictions(this.uploadFileTypes); return swfConfig; Index: typo3/backend.php =================================================================== --- typo3/backend.php (Revision 8773) +++ typo3/backend.php (Arbeitskopie) @@ -386,6 +386,7 @@ 'inWorkspace' => $GLOBALS['BE_USER']->workspace !== 0 ? 1 : 0, 'workspaceFrontendPreviewEnabled' => $GLOBALS['BE_USER']->user['workspace_preview'] ? 1 : 0, 'veriCode' => $GLOBALS['BE_USER']->veriCode(), + 'idHash' => $GLOBALS['BE_USER']->getIdHash(), 'denyFileTypes' => PHP_EXTENSIONS_DEFAULT, 'moduleMenuWidth' => $this->menuWidth - 1, 'topBarHeight' => (isset($GLOBALS['TBE_STYLES']['dims']['topFrameH']) ? intval($GLOBALS['TBE_STYLES']['dims']['topFrameH']) : 30), @@ -480,6 +481,7 @@ this.navFrameWidth = 0; this.securityLevel = TYPO3.configuration.securityLevel; this.veriCode = TYPO3.configuration.veriCode; + this.idHash = TYPO3.configuration.idHash; this.denyFileTypes = TYPO3.configuration.denyFileTypes; } var TS = new typoSetup();