Bug #19351: FE session hijacking - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #19351

closed

FE session hijacking

Added by Dmitry Dulepov about 16 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Must have

Assignee:

Dmitry Dulepov

Category:

Communication

Target version:

Start date:

2008-09-18

Due date:

% Done:

Estimated time:

TYPO3 Version:

4.1

PHP Version:

5.2

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

typo3/sysext/tslib/class.tslib_feuserauth.php limits session id to 10 characters. Session id is md5 value. If there are two users, whose IP addresses are from similar networks and hd5 caches are similar, session hijacking will happen. The solution is to drop 10 characters limit and use full 32 characters of md5 like it is done for Backend.

(issue imported from #M9384)

Files

9384.diff (918 Bytes) 9384.diff

Administrator Admin, 2008-09-18 20:43

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Watchers (1)

Bug #19351

FE session hijacking

Updated by Marcus Krause about 16 years ago

Updated by Dmitry Dulepov about 16 years ago

Updated by Benni Mack about 6 years ago