Bug #14847

Session data not cleared on logout

Added by Karsten Dambekalns over 16 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2005-06-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
3.7.1
PHP Version:
4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

A FE user logs in, I set some session data that get's saved in
fe_sesson_data. Now the user logs out, another FE user logs in (same
browser, same machine, a second later).

This new user has the same session data as the one that just logged out. So
logoff() deletes the data from fe_sessions, but fe_session_data is only
cleaned with a 1% chance, not during logoff.

Obviously this needs to be changed, as session data should not persist.

http://typo3.org/documentation/mailing-lists/dev-list-archive/thread/110129500/
(issue imported from #M1252)

#1

Updated by Karsten Dambekalns over 16 years ago

Please have a look at the thread in the dev list and tell me what you think!

#2

Updated by Karsten Dambekalns over 16 years ago

Not a bug as such. First of all, this is documented behaviour (see http://typo3.org/documentation/document-library/doc_core_tsref/Storing_user_data_or/). And there is a way to work around this: by using getSessionData() and setAndSaveSessionData() instead.

#4

Updated by Sebastian Mendel about 10 years ago

Not clearing out data when user loggs off is a bug.

Even i would consider this a security hole.

Also available in: Atom PDF