Project

General

Profile

Actions
Copy link

Bug #19351

closed

FE session hijacking

Added by Dmitry Dulepov about 16 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Dmitry Dulepov
Category:
Communication
Target version:
-
Start date:
2008-09-18
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.1
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

typo3/sysext/tslib/class.tslib_feuserauth.php limits session id to 10 characters. Session id is md5 value. If there are two users, whose IP addresses are from similar networks and hd5 caches are similar, session hijacking will happen. The solution is to drop 10 characters limit and use full 32 characters of md5 like it is done for Backend.

(issue imported from #M9384)

Files

9384.diff (918 Bytes) 9384.diff Administrator Admin, 2008-09-18 20:43
Actions
Copy link
 #1

Updated by Marcus Krause about 16 years ago

There's no correlation between IP addresses / subnets and session ids. Session ID generation is based on process id.

Actions
Copy link
 #2

Updated by Dmitry Dulepov about 16 years ago

Marcus, ever heard about session lock in TYPO3?

Actions
Copy link
 #3

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF