Bug #10669

Login session not "cleared" when creating new admin (security framework related?)

Added by Soren Malling about 11 years ago. Updated almost 11 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
PHP Version:
Has patch:



Sorry if this one should go into the TYPO3 package - if so, please move it :)

On "latest.phoenix.typo3.org" I got the possibility of deleting the main/home page. If I do so, I get the page "Welcome to TYPO3" where I can click the "Enter setup" link.

Clicking that link, makes it possible to import a new package and create a new admin user. I did so, and entered a new value to the "password" field. My user was created and/but my login session was still valid, meaning I could edit content with the admin user having "wrong" credentials.

Logging out and try to login with the admin/password combination didn't give me access, until I used the newly entered combination.

I might expect, that me changing(/creating a new and clearing current?) admin user credentials, should in some way make my session invalid, as it is not the same admin user object? Is this correctly understood? Should this be considered a bug?

Related issues

Is duplicate of TYPO3.Flow - Feature #5442: Destroy session / logout user on deleting an accountNewAndreas Förthner2009-11-19


Updated by Karsten Dambekalns about 11 years ago

  • Status changed from New to Needs Feedback

Well, this is really something that could be solved in the TYPO3 package. But there should be no automatism - imagine you'd be logged out whenever you create a new user in the system... This is a special case, as running the setup seems to imply a "fresh system", but that's not really the case.


Updated by Andreas Förthner almost 11 years ago

  • Status changed from Needs Feedback to Closed

The solution to this is to clear a user's session as soon as the account is destroyed. This is covered by #5442.

Also available in: Atom PDF