Bug #10669

Login session not "cleared" when creating new admin (security framework related?)

Added by Soren Malling almost 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2010-11-08
Due date:
% Done:

0%

PHP Version:
Has patch:
Complexity:

Description

Hi,

Sorry if this one should go into the TYPO3 package - if so, please move it :)

On "latest.phoenix.typo3.org" I got the possibility of deleting the main/home page. If I do so, I get the page "Welcome to TYPO3" where I can click the "Enter setup" link.

Clicking that link, makes it possible to import a new package and create a new admin user. I did so, and entered a new value to the "password" field. My user was created and/but my login session was still valid, meaning I could edit content with the admin user having "wrong" credentials.

Logging out and try to login with the admin/password combination didn't give me access, until I used the newly entered combination.

I might expect, that me changing(/creating a new and clearing current?) admin user credentials, should in some way make my session invalid, as it is not the same admin user object? Is this correctly understood? Should this be considered a bug?


Related issues

Duplicates TYPO3.Flow - Feature #5442: Destroy session / logout user on deleting an account New 2009-11-19

History

#1 Updated by Karsten Dambekalns almost 9 years ago

  • Status changed from New to Needs Feedback

Well, this is really something that could be solved in the TYPO3 package. But there should be no automatism - imagine you'd be logged out whenever you create a new user in the system... This is a special case, as running the setup seems to imply a "fresh system", but that's not really the case.

#2 Updated by Andreas Förthner over 8 years ago

  • Status changed from Needs Feedback to Closed

The solution to this is to clear a user's session as soon as the account is destroyed. This is covered by #5442.

Also available in: Atom PDF