Project

General

Profile

Actions

Bug #19867

closed

DB session records are only created when users authenticate

Added by Marcus Krause almost 16 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Must have
Category:
-
Target version:
-
Start date:
2009-01-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.0
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Functions $GLOBALS["TSFE"]->fe_user->getKey() or $GLOBALS["TSFE"]->fe_user->setKey() allow to bind data to a user's session.
Unfortunately TYPO3 only creates DB session records in tables be_sessions/fe_sessions if a user authenticates.

Before applying the session fixation fix, TYPO3 always trusted the session id provided by the user through COOKIE etc. Although no DB session records were created, setKey() and getKey() worked in a way that a record in fe_session_data was created (including session id) and could be accessed.

Now, after the session fixation fix, TYPO3 will issue a new session id if there's no according db record in be_sessions/fe_sessions. This now has the drawback that every request of a non-authenticated user will force TYPO3 to issue a new session id so that getKey() no longer works as existing records in fe_session_data are associated to an "old" session identifier.

I believe that the security fix is not the cause of the problem but the trigger for it. I expect TYPO3 to create a DB session record whenever a session id is generated not only when a user authenticates itself.

(issue imported from #M10205)


Files

user_sestest.php (236 Bytes) user_sestest.php Administrator Admin, 2009-01-21 12:57
10205_trunk.diff (705 Bytes) 10205_trunk.diff Administrator Admin, 2009-01-21 23:45
10205.diff (858 Bytes) 10205.diff Administrator Admin, 2009-01-21 23:47
bug_10205_v2_trunk.diff (1.08 KB) bug_10205_v2_trunk.diff Administrator Admin, 2009-01-22 18:37
bug_10205_v3.diff (2.44 KB) bug_10205_v3.diff Administrator Admin, 2009-01-23 09:02
bug_10205_v4.diff (1.83 KB) bug_10205_v4.diff Administrator Admin, 2009-01-23 22:29
bug_10205_post1_commerce.diff (790 Bytes) bug_10205_post1_commerce.diff Administrator Admin, 2009-01-24 01:55
bug_10205_v5.patch (2.65 KB) bug_10205_v5.patch Administrator Admin, 2009-01-24 14:28

Related issues 4 (0 open4 closed)

Related to TYPO3 Core - Bug #19831: Session fixation vulnerability in user authenticationClosedMarcus Krause2009-01-15

Actions
Has duplicate TYPO3 Core - Bug #19874: Typo3 4.1.8: fe_session_data regression due to session fixation (bug 10146)ClosedMichael Stucki2009-01-21

Actions
Has duplicate TYPO3 Core - Bug #19880: Patch 10146 in Version 4.2.4 does not work for me. None of the FE Sessions are beeing keptClosedMichael Stucki2009-01-21

Actions
Has duplicate TYPO3 Core - Bug #19879: after upgrade from 4.1.7 to 4.1.8 feusers and beusers have to clear there cookie cache before they can loginClosedHelmut Hummel2009-01-21

Actions
Actions

Also available in: Atom PDF