Bug #24125

jumpurl secure links over HTTPS fail in Internet Explorer when BE user logged in

Added by Alexander Stehlik over 11 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Should have
Category:
Frontend
Target version:
-
Start date:
2010-11-18
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.4
PHP Version:
5.2
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

There is a little bug in the jumpurl_secure feature. It may not affect many people but because it is very specific. To reproduce it, these conditions must be met:

  • Filelinks with jumpurl_secure enabled
  • connection is HTTPS
  • browser is Internet Explorer (all Versions)
  • Backend user is logged in

When clicking on a link the downloads fails with the following error message: "The requested site is either unavailable or cannot be found"

The reason for this problem can be found in the start() method of the t3lib_userAuth object. For BE users the property "sendNoCacheHeaders" is set to TRUE. This results in a bunch of headers that are sent out to the client. This is the one that let's the jumpURL link fail:

header('Pragma: no-cache');

There are two possible solutions:

The first would be to send out a new header in tslib_fe->jumpUrl if connection is HTTPS:
header('Pragma: private');

Another solution would be to check in the t3lib_userAuth if the connection is HTTPS and then decide weather to user "no-cache" or "private".

If you let me know which solution you prefer I can provide a patch.

(issue imported from #M16466)


Files

typo3-16466b-jumpurl_ssl-v2.diff (1.09 KB) typo3-16466b-jumpurl_ssl-v2.diff Administrator Admin, 2011-02-04 11:56

Related issues

Related to TYPO3 Core - Story #28743: Add method to send no-cache HTTP headersRejected2011-08-04

Actions
Related to TYPO3 Core - Task #90601: Remove old IE https download related hack in AbstractUserAuthenticationRejected2020-02-29

Actions
#1

Updated by Alexander Stehlik over 11 years ago

Important! If you want to test this bug you have to make sure, that gzip compression is disabled. Otherwise the error doesn't occur.

I realized, that there is another problem with another header:
Cache-Control: no-cache

The problem is known by microsoft and there is a hot fix for it that seems to work (tested with IE8):
http://support.microsoft.com/kb/323308/en-us

As this bug seems to affect all IE Versions I think it should be fixed in TYPO3. I'll attach a patch that improves the header handling in t3lib_userAuth::start. The patch was tested with IE8, Firefox and Google Chrome.

#2

Updated by Mr. Hudson over 11 years ago

Patch set 1 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

#3

Updated by Mr. Hudson over 11 years ago

Patch set 2 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

#4

Updated by Mr. Hudson about 11 years ago

Patch set 3 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

#5

Updated by Alexander Stehlik about 11 years ago

  • Target version deleted (0)

During testing I realized something else. There is a PHP setting (which seems to be default in Ubuntu), that is called

session.cache_limiter

If this is set to "nocache" (default setting on my system, Ubuntu 11.04) you will also get the error in the Internet Explorer if you use an HTTPS connection.

So when you test this please make sure this is set to an empty string in your php.ini:

session.cache_limiter = 
#6

Updated by Mr. Hudson about 11 years ago

Patch set 4 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

#7

Updated by Mr. Hudson about 11 years ago

Patch set 5 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

#8

Updated by Thorsten Kahler about 11 years ago

  • Category deleted (Communication)
  • Status changed from New to Under Review
  • PHP Version changed from 5.3 to 5.2
  • Complexity set to medium

I came across a similar problem (downloads over HTTPS in IE) (again) today. From what I found your general approach seems correct to me, the details can be discussed in Gerrit.

#9

Updated by Mr. Hudson about 11 years ago

Patch set 6 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

#10

Updated by Alexander Stehlik about 11 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#11

Updated by Thorsten Kahler about 11 years ago

  • Category set to Frontend
  • Status changed from Resolved to Under Review
  • Assignee set to Thorsten Kahler
  • Target version set to 1305

I had to re-submit the patch because I was irritated by the Gerrit UI :-}

#12

Updated by Oliver Hader almost 11 years ago

  • Target version changed from 1305 to 1341
#13

Updated by Mr. Hudson almost 11 years ago

Patch set 2 of change I94a3f1b7f05e15cef23519f76127114251a3eabc has been pushed to the review server.
It is available at http://review.typo3.org/4193

#14

Updated by Mr. Hudson almost 11 years ago

Patch set 3 of change I94a3f1b7f05e15cef23519f76127114251a3eabc has been pushed to the review server.
It is available at http://review.typo3.org/4193

#15

Updated by Mr. Hudson over 10 years ago

Patch set 1 of change I94a3f1b7f05e15cef23519f76127114251a3eabc has been pushed to the review server.
It is available at http://review.typo3.org/6698

#16

Updated by Mr. Hudson over 10 years ago

Patch set 1 of change I823f72c143d9e5666db2426a5818b96a76d4c39f has been pushed to the review server.
It is available at http://review.typo3.org/6699

#17

Updated by Mr. Hudson over 10 years ago

Patch set 1 of change I814aa8a203ad5fd7cb9404cc6662d1ea0aedc5e8 has been pushed to the review server.
It is available at http://review.typo3.org/6700

#18

Updated by Gerrit Code Review over 10 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/4193

#19

Updated by Gerrit Code Review over 10 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/4193

#20

Updated by Gerrit Code Review over 10 years ago

Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/6698

#21

Updated by Gerrit Code Review over 10 years ago

Patch set 6 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/4193

#22

Updated by Gerrit Code Review over 10 years ago

Patch set 7 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/4193

#23

Updated by Alexander Stehlik over 10 years ago

  • Status changed from Under Review to Resolved
#24

Updated by Ernesto Baschny about 9 years ago

  • Target version deleted (1341)
#25

Updated by Benni Mack almost 4 years ago

  • Status changed from Resolved to Closed
#26

Updated by Christian Eßl over 2 years ago

  • Related to Task #90601: Remove old IE https download related hack in AbstractUserAuthentication added

Also available in: Atom PDF