Index: t3lib/class.t3lib_userauth.php =================================================================== --- t3lib/class.t3lib_userauth.php (Revision 8748) +++ t3lib/class.t3lib_userauth.php (Arbeitskopie) @@ -157,6 +157,7 @@ // Internals var $id; // Internal: Will contain session_id (MD5-hash) + protected $idHash; // Internal: MD5 hash of the session id, used in combination with veriCode (vC) var $cookieId; // Internal: Will contain the session_id gotten from cookie or GET method. This is used in statistics as a reliable cookie (one which is known to come from $_COOKIE). var $loginFailure = FALSE; // Indicates if an authentication was started but failed var $loginSessionStarted = FALSE; // Will be set to true if the login session is actually written during auth-check. @@ -774,6 +775,10 @@ $dbres = $this->fetchUserSessionFromDB(); if ($dbres && $user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) { + if (!$this->id) { + $this->id = $user['ses_id']; + } + // A user was found if (is_string($this->auth_timeout_field)) { $timeout = intval($user[$this->auth_timeout_field]); // Get timeout-time from usertable @@ -893,7 +898,7 @@ $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', $this->session_table.','.$this->user_table, - $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).' + 'MD5(' . $this->session_table.'.ses_id) = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->getIdHash(), $this->session_table).' AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).' AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.' '.$this->ipLockClause().' @@ -978,10 +983,24 @@ * @return string */ public function veriCode() { - return substr(md5($this->id . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10); + return substr(md5($this->getIdHash() . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10); } /** + * Gets the current idHash. + * + * @return string + */ + public function getIdHash() { + if (!isset($this->idHash)) { + $idHash = t3lib_div::_GP('idHash'); + $this->idHash = ($idHash ? $idHash : md5($this->id)); + } + + return $this->idHash; + } + + /** * This returns the where-clause needed to lock a user to a hash integer * * @return string Index: typo3/js/flashupload.js =================================================================== --- typo3/js/flashupload.js (Revision 8748) +++ typo3/js/flashupload.js (Arbeitskopie) @@ -280,6 +280,7 @@ swfConfig.post_params = Ext.value(this.uploadPostParams, this.swfDefaultConfig.post_params); // add the veriCode from the backend.php to verify the session with the flash client swfConfig.post_params.vC = top.TS.veriCode; + swfConfig.post_params.idHash = top.TS.idHash; swfConfig.file_types_description = Ext.value(this.uploadFileTypesDescription, this.swfDefaultConfig.file_types_description); this.setFileTypeRestrictions(this.uploadFileTypes); return swfConfig; Index: typo3/backend.php =================================================================== --- typo3/backend.php (Revision 8748) +++ typo3/backend.php (Arbeitskopie) @@ -386,6 +386,7 @@ 'inWorkspace' => $GLOBALS['BE_USER']->workspace !== 0 ? 1 : 0, 'workspaceFrontendPreviewEnabled' => $GLOBALS['BE_USER']->user['workspace_preview'] ? 1 : 0, 'veriCode' => $GLOBALS['BE_USER']->veriCode(), + 'idHash' => $GLOBALS['BE_USER']->getIdHash(), 'denyFileTypes' => PHP_EXTENSIONS_DEFAULT, 'moduleMenuWidth' => $this->menuWidth - 1, 'topBarHeight' => (isset($GLOBALS['TBE_STYLES']['dims']['topFrameH']) ? intval($GLOBALS['TBE_STYLES']['dims']['topFrameH']) : 30), @@ -477,6 +478,7 @@ this.navFrameWidth = 0; this.securityLevel = TYPO3.configuration.securityLevel; this.veriCode = TYPO3.configuration.veriCode; + this.idHash = TYPO3.configuration.idHash; this.denyFileTypes = TYPO3.configuration.denyFileTypes; } var TS = new typoSetup();