Bug #19908
closed
session fixation fix avoid BE login
Added by Steffen Kamper over 15 years ago.
Updated over 5 years ago.
Description
After the fixation fix i can't login in BE.
To be more precise:
Login works, but i'm logged out immediately and only get error bos with "Login-error or session timed-out"
If i comment the fixation check in class.t3lib_userauth.php, line 229, login works again.
(issue imported from #M10257)
problem occurs in trunk (other branches not tested yet)
cannot confirm in my specific setup:
FF2, cookie validity set to browser session only, t3sec_saltedpw auth services
i tracked it down, and it was a second cookie that got priority.
Domain was home.local.com
There was a cookie for .local.com, the written cookie had home.local.com but was ignored.
Only way to get login back was to delete the cookie.
I can confirm this (and it is probably solvable by playing with the conf vars to avoid cookie validity for the whole top level domain): The BE login by default will respect cookies set to the top level domain. Therefore one might recognize inconsistent behaviour (meaning to be logged out immediately) if accessing different TYPO3 versions' backends located within the same tld domain, if one backend is < 4.2.4 | 4.1.8 while the other >= ... or while logging in at one subdomain and the browser still has "older" cookies from another subdomain of the same tld named be_typo3_user.
Uh... shouldn't write here when it's too late. Of course top level domain should read domain...
Login to one installation works fine, but loading a page from another TYPO3 installation raise the Login-error. See bug ID 0010266.
Reproducible with 4.2.6dev and 4.2.5.
Steffen, please check, if you're also affected by bug #19879.
@Thomas: #19879 is indeed still a problem.
Fresh Install Version 4.3.0alpha2 has same problem. You get logged out immediately you have been logged in.
But often before this happens we also get errors like:
that the backend loads in the right column and than turns grey shadded and the login error appears in the main column.
Or:
Fatal error: Cannot run code from this file in conjunction with non encoded files in /domainpath ... /typo3conf/ext/templavoila_pagemod/mod1/conf.php on line 392
Hi Andreas, could you please recheck if this error happens on clean TYPO3 installation, meaning not having any third party extension (like templavoila_pagemod or even templavoila) installed.
Regarding the fatal error: this cannot be a TYPO3 core issue, since this seems to be a problem regarding Zend Guard encoded files.
No further feedback provided - closing this issue.
- Status changed from Resolved to Closed
Also available in: Atom
PDF