Bug #14847
closed
Session data not cleared on logout
0%
Description
A FE user logs in, I set some session data that get's saved in
fe_sesson_data. Now the user logs out, another FE user logs in (same
browser, same machine, a second later).
This new user has the same session data as the one that just logged out. So
logoff() deletes the data from fe_sessions, but fe_session_data is only
cleaned with a 1% chance, not during logoff.
Obviously this needs to be changed, as session data should not persist.
http://typo3.org/documentation/mailing-lists/dev-list-archive/thread/110129500/
(issue imported from #M1252)
Updated by Karsten Dambekalns almost 19 years ago
Please have a look at the thread in the dev list and tell me what you think!
Updated by Karsten Dambekalns almost 19 years ago
Not a bug as such. First of all, this is documented behaviour (see http://typo3.org/documentation/document-library/doc_core_tsref/Storing_user_data_or/). And there is a way to work around this: by using getSessionData() and setAndSaveSessionData() instead.
Updated by Sebastian Mendel over 12 years ago
new link to dev list thread: http://lists.typo3.org/pipermail/typo3-dev/2005-June/011090.html
Updated by Sebastian Mendel over 12 years ago
Not clearing out data when user loggs off is a bug.
Even i would consider this a security hole.