http://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692009-01-20T23:20:18ZTYPO3 ForgeTYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508572009-01-20T23:20:18ZMarcus Krause
<ul></ul><p>There are two possible solutions:</p>
<p>- let method isExistingSessionRecord() check both tables fe_sessions/be_sessions AND fe_session_data for existing session ids<br />or<br />- let TYPO3 create be_sessions/fe_sessions records also for non-authenticated users</p>
<p>My favourite is #2; what do you think?</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508582009-01-21T09:58:00ZFrancois Suterfrancois@typo3.org
<ul></ul><p>Solution 2 seems more consistent.Obviously session ids need to be preserved once the user is logged in.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508592009-01-21T12:56:07ZDmitry Dulepov
<ul></ul><p>#2</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508602009-01-21T12:59:22ZDmitry Dulepov
<ul></ul><p>Uploaded a simple script to test&reproduce the problem. The following TS should be added to the site TS to see it in action:<br /><pre>
includeLibs.user_sestest = fileadmin/user_sestest.php
page.5 = USER_INT
page.5.userFunc = user_sestest
</pre><br />The output will display previous and new value (time stamp actually). With older TYPO3 code both values were shown. Current trunk shows only the new value (old one is always empty).</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508612009-01-21T15:12:53ZChristian Hernmarckch_t3@hernmarck.ch
<ul></ul><p>Just a note:<br />this bug/topic is important - I upgraded to Typo3 4.0.10, 4.1.8 and 4.2.4 (several installations on several servers) and later realized that the shop is not working anymore (basket always empty).<br />Maybe my fault (I didn't check everything on the new version) - but it seems that the updates are more and more problematic...</p>
<p>Regards<br />Christian</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508622009-01-21T17:45:54ZDaniel Hahlertypo3@thequod.de
<ul></ul><p>WORKAROUND:</p>
<p>comment out / remove this part in t3lib/class.t3lib_userauth.php:<br />"|| !$this->isExistingSessionRecord($id)"</p>
<p>This removes the "session fixation fix" and appears to be better than downgrading completely.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508632009-01-21T19:23:51ZSteffen Kamperinfo@sk-typo3.de
<ul></ul><p>i see this patch as very urgent. The releases are not working and new release has to come very soon.<br />Does this patch brings the usersession back?</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508642009-01-21T20:27:44ZMarcus Krause
<ul></ul><p>There is no patch so far, just a workarround that reverts the session fixation fix.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508652009-01-21T20:47:20ZSteffen Kamperinfo@sk-typo3.de
<ul></ul><p>i tend to #2, but i think there must be a garbage collection as this can raise data a lot, especially the anonymous session data should be deleted after some hours/days.</p>
<p>Unfortunally we need a quick fix.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508662009-01-21T21:30:18ZHelmut Hummeltypo3@helhum.io
<ul></ul><p>I'm not too happy about storing <em>every</em> anonymous session into the database. This could lead to a serious performance impact an high traffic sites.<br />So, I would vote for solution #1 to avoid unnecessary load on the server.</p>
<p>A compromise would be to only store the session id in fe_sessions, if $this->sesData_change is set and data is written to fe_sessions_data table...</p>
<p>But I'm not sure on this ...</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508672009-01-21T21:55:57ZSteffen Kamperinfo@sk-typo3.de
<ul></ul>for the urgent reason i would say:
<ul>
<li>use #1 for now to have a fix.</li>
<li>work on an alternative way like #2 without hurry</li>
</ul> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508682009-01-21T21:56:05ZMarcus Krause
<ul></ul><p>So it's currently unclear; both solution have their pros and cons.</p>
<p>I hereby unassign this issue. I don't want to stop anybody to work on it.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508692009-01-21T22:48:25ZMarcus Krause
<ul></ul><p>Hotfixes added, please test!</p>
<p>(*_trunk.diff is for subversion trunk only)</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508702009-01-22T01:09:39ZRalph Bruggertypo3bugs@public.linkpool.de
<ul></ul><p>Hotfix 10205.diff tested for <a class="external" href="http://www.bobsairport.de">www.bobsairport.de</a><br />Seems to work!<br />Thanks for the fast hotfix</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508712009-01-22T02:24:10ZDaniel Hahlertypo3@thequod.de
<ul></ul><p>re patch: I think the additional check should only get done, if "! $count" applies to the first check;<br />In case there are results already from the first check, the second one can be skipped (saves a query).<br />Otherwise this patch looks good.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508722009-01-22T10:02:20ZFranz Holzingerfranz@ttproducts.de
<ul></ul><p>tt_products basket: The patch 10205_trunk.diff for the trunk works fine, but only tt_products 2.8.0. It does not work with tt_products 2.5.10.</p>
<p>The patch 10205.diff for TYPO3 4.2.4 does not change anything. The table fe_session_data always remains empty.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508732009-01-22T11:38:33ZManfred Mueller-Spaethfms1961@gmail.com
<ul></ul><p>The problem comes in another "flavour" for me: fe_users may login, but on the next request, they seem to be logged out.</p>
<p>The workaround mentioned above works fine in this case, but not the hotfix 10205.diff, this won't change anything on the problem described above.</p>
<p>Edit: TYPO3 4.2.4 - PHP 5.2.x - tested with FireFox on Mac OS X and Windows</p>
<p>Edit: Sorry, I made a mistake, now the hotfix works fine!</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508742009-01-22T12:45:29ZMichael Fritzmichael.fritz@target-e.de
<ul></ul><p>Thanx alot!! the hotfix does the trick!</p>
<p>10205.diff [^] (858 bytes) 21.01.09 23:47</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508752009-01-22T17:36:11ZMichael Stuckimichael.stucki@typo3.org
<ul></ul><p>By having a look at patch "10205.diff" I think it is not solving the problem correctly.</p>
<p>1) Although such session information is most likely stored in FE sessions only, there is no guarantee for this. At least checking the ->loginType is the wrong way in my opinion.</p>
<p>2) Instead of doing a select query in the fe_session_data table, I propose to simply check the client session lifetime. Every value which is more than 0 should have a corresponding record in fe_session, and vice versa, if the lifetime is 0 we can be sure it's a non-authenticated session.</p>
<p>Those who tried the old patch already, please re-test if the new solution from "bug_10205_v2.diff" will also work for you. Thanks in advance!</p>
<p>- michael</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508762009-01-22T18:01:00ZRalph Bruggertypo3bugs@public.linkpool.de
<ul></ul><p>I've checked bug_10205_v2.diff too for bobsairport.de.<br />It seems be working the same way as the old bug_10205.diff patch.<br />Sessions are created the right way, and none existing sessions are also detected.<br />=> it works 4 me:)</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508772009-01-22T18:34:58ZFranz Holzingerfranz@ttproducts.de
<ul></ul><p>Patch bug_10205_v2.diff is not against current svn trunk, as I have thought.<br />Could you please attach the patch for trunk?</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508782009-01-22T18:35:27ZSteffen Kamperinfo@sk-typo3.de
<ul></ul><p>I tested v2 with trunk. I had the problem that i can't login in BE (i logged in and session was invalid direct after login). Applying the patch BE login works again.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508792009-01-22T18:37:21ZSteffen Kamperinfo@sk-typo3.de
<ul></ul><p>I attached the v2-patch for trunk</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508802009-01-22T18:43:02ZMarcus Krause
<ul></ul><p>v2 is broken, it again allows session fixation for non-authenticated (fe-) users</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508812009-01-22T20:57:18ZReto Schmidreto@hausformat.com
<ul></ul><p>I test the new Patch "bug_10205_v2.diff", and it's look's good!</p>
<p>tt_products runs and no problems with logins ...</p>
<p>Thanks a lot ;)</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508822009-01-22T23:20:14ZBen van 't Endeben@vantende.net
<ul></ul><p>After the fix we had no problems either. Will this be a HOTFIX now?</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508832009-01-22T23:22:14ZSteffen Kamperinfo@sk-typo3.de
<ul></ul><p>we have to check comment from Marcus first as this would be a no-go</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508842009-01-22T23:36:55ZMarcus Krause
<ul></ul><p>I've reviewed a new patch created by Michael. This patch seems to be a proper bugfix. I guess, he will add it here very soon.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508852009-01-23T09:04:12ZMichael Stuckimichael.stucki@typo3.org
<ul></ul><p>New patch mentioned by Marcus is up now (bug_10205_v3.diff). Please test once again...</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508862009-01-23T10:47:24ZClemens Kalbclemens.kalb@netlogix.de
<ul></ul><p>bug_10205_v3.diff didn't fix the problem described by Manfred Mueller-Spaeth a few comments earlier (at least it didn't fix it for me): fe_users may login, but on the next request, they seem to be logged out (TYPO3 4.0.10).</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508872009-01-23T11:46:09ZJens Hirschfeldjens.hirschfeld@keepout.de
<ul></ul><p>[Update]<br />I've tested the patch bug_10205_v3.diff.<br />To reproduce the Problem with the login being not possible with the patch bug_10205_v3.diff:<br />1. go to the fe-login page.<br />2. delete your fe_typo_user cookie<br />3. login (it looks like it is successful)<br />4. click any link in your page. You aren´t logged in any more.</p>
<p>How the login is possible:<br />1. delete your fe_typo_user cookie<br />2. go to any page on your site, which contains an extension, which saves session-data.<br />3. now go to the fe-login page.<br />4. login -> the login IS successful<br />[/Update]</p>
<p>[Wrong, don´t read it!]<br />This Part of the Note is wrong:<br />I've tested the patch bug_10205_v3.diff on different server (2x IIS and 1x Apache).</p>
<p>The patch worked on the Apache Server, but on IIS Server I have encountered the Problem, that no FE-User can log in!<br />The user types in the username in password. After clicking the "login" Button/Link the User is again on the "login" page.</p>
<p>If i replace the patched Files with the original ones, the login is again possible.<br />[/Wrong, don´t read it!]<br />The reason was, that on the IIS-Systems i had´nt already a cookie with Session-Data. On the Apache-System i did.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508882009-01-23T12:30:48ZManfred Mueller-Spaethfms1961@gmail.com
<ul></ul><p>I thought all went fine, but I'm wrong ...</p>
<p>It's a curious thing: after using the system with the workaround above (just commenting out the call of "isExistingSessionRecord") and then patching the file (made unchanged again before), all works fine, also with deleted cookies. That's what I wrote yesterday in my comment.</p>
<p>But after truncating fe_session and fe_session_data, the same behaviour came up: fe_user login possible, but "forgotten login" with the next request.</p>
<p>Because of the lack of time, for the moment my description is not very precise. If no solution is found, I will track it with more details begin of next week.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508892009-01-23T12:37:43ZBenno Weinzierlbw@s2intermedia.de
<ul></ul><p>bug_10205_v3.diff did fix my 4.1.8-Installation.</p>
<p>It is a realy urgent matter as i also updated over 10 Projects until i noticed the disaster. There should be a Warning at the download-Page of <a class="external" href="http://www.typo3.org">www.typo3.org</a> until this is fixed... just to prevent others to do the same mistake that i did.</p>
<p>Edit: Sorry, patch does NOT work in IE6&7. Users are only logged in for one request. => i think same thing as Manfred Mueller-Spaeth</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508902009-01-23T22:26:32ZMichael Stuckimichael.stucki@typo3.org
<ul></ul><p>Finally found the reason why this works on some sites and and some it doesn't. My assumption regarding $lifetime was wrong. It is no indication for a non-authenticated user.</p>
<p>Therefore I'm uploading a new patch which doesn't have this condition and should finally work for all scenarios.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508912009-01-23T22:29:59ZMichael Stuckimichael.stucki@typo3.org
<ul></ul><p>bug_10205_v4.diff is tested and will be submitted to the core list next.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508922009-01-24T01:08:14ZManfred Mueller-Spaethfms1961@gmail.com
<ul></ul><p>I'm really sorry ... but it's the same erroneous behaviour as before ...</p>
<p>After patching a freshly unzipped 4.2.4 with v4 and clearing all caches in TYPO3 as well as the cookies and sessions in the browser (FireFox) and emptying fe_sessions and fe_session_data, it's the same problem: a fe_user may login, but the next request on a secured page causes an error "The page did not exist or was inaccessible. Reason: ID was not an accessible page" as always.</p>
<p>Again: if there are sessions in the table from using the workaround above (commenting out the part " || !$this->isExistingSessionRecord($id)", the login works correctly without the workaround though. It's curious.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508932009-01-24T01:55:16ZMichael Stuckimichael.stucki@typo3.org
<ul></ul><p>Oh well... What a mess!</p>
<p>After verifying the patch on a clients site, I can confirm that it<br />works, however there are still more problems to be resolved.</p>
<p>The extension "commerce" does for some reason use its own session<br />table, meaning there is no content in fe_session, no content in<br />fe_session_data, but there is content in tx_commerce_baskets!</p>
<p>Now the question is, how should we treat that situation:</p>
<p>a) Ignore but warn users of that extension<br />b) Add a fix for commerce to the core - see attached patch<br />c) Add a configuration flag that disables the session fixation fix (so<br /> that the user gets more time to wait for a fix from the commerce<br /> developers).</p>
<p>Attached is a post patch that implements a check for the commerce<br />extension. However, what if there are more such extensions playing their<br />own game?</p>
<p>What do you propose?</p>
<p>- michael</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508942009-01-24T10:10:04ZMichiel Roos
<ul></ul><p>C<br />Extensions should definitely not bloat the core.</p>
<p>Sending a warning to the commerce team is fine too.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508952009-01-24T13:39:15ZFranz Holzingerfranz@ttproducts.de
<ul></ul><p>A hook can be added to allow this for multiple extensions.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=508962009-01-24T16:58:13ZIngmar Schlechtingmar@typo3.org
<ul></ul><p>Patch v5 committed to all affected branches.</p> TYPO3 Core - Bug #19867: DB session records are only created when users authenticatehttp://forge.typo3.org/issues/19867?journal_id=3862372018-10-02T12:26:55ZBenni Mackbenni@typo3.org
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Closed</i></li></ul>