Project

General

Profile

Actions

Bug #19874

closed

Typo3 4.1.8: fe_session_data regression due to session fixation (bug 10146)

Added by Daniel Hahler almost 16 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Category:
Communication
Target version:
-
Start date:
2009-01-21
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.1
PHP Version:
5.1
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

In bug 10146 (which I cannot access, but is referenced in the changelog), session fixation has been fixed, so that a new session ID gets generated on each request, if there is no user logged in (the new isExistingSessionRecord checks for this).

However, this renders the fe_session_data table (through $fe_user::setKey('ses', ..)) for anonymous visitors useless: as long as you're not authenticated you'll get a new Session ID on each request and therefore any data stored in the session is lost.

I think the fix might be to expand the isExistingSessionRecord method to also look for entries with the current session ID in fe_session_data (instead of only fe_sessions).

This has been reported to fail with 4.2.4, too.
(issue imported from #M10211)


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #19831: Session fixation vulnerability in user authenticationClosedMarcus Krause2009-01-15

Actions
Is duplicate of TYPO3 Core - Bug #19867: DB session records are only created when users authenticateClosedMichael Stucki2009-01-20

Actions
Actions

Also available in: Atom PDF