TYPO3 Core

Could you elaborate on why this check is necessary?

typo3/index.php relays on the global SESSIOn object (line 239 ff..

// Save challenge value in session data (thanks to Bernhard Kraft for providing code):
        session_start();
        $_SESSION['login_challenge'] = $challenge;

class.t3lib.user_auth.php, also Line 971 ff

Will this be fixed in RC2?

See Attached patch for fix, or revision 1682 in t3dd SVN Repository

I think that we could create a workaround for that and no rely on PHP sessions.

Martin: Why should we add an own implementation when there is a common used PHP module for that?

If TYPO3 relays on Session support it should be tested and documentated in the System requirements, if the code is changed to not relay on session support it will be great :-)

Michael, I'd try to avoid a new dependency if possible. IMHO it's not too hard to store one value during login by ourselves.

But of course we could use PHP sessions, but why does TYPO3 offer a DB based one of it's own?

The "only" majaor flaw of TYPO3's session handling is that it issues a new session id, but does not store it in the DB. If it did could store the challenge there.

Any stale sessions could be cleaned as usual.

Martin, the session requirement was there since ages, so there is no new dependency added by this.

If you think it will be easy to solve this different, please let me know. Otherwise I just agree with Ingo that the check should be added...

Hehe, seems I never disabed session support then. Well, for 4.1 (and possibly 4.0) we better add the check then.

Maybe I or someone else can write a fallback (or a changed session handling) for 4.2.

Fixed in Trunk