Project

General

Profile

Actions

Bug #24125

closed

jumpurl secure links over HTTPS fail in Internet Explorer when BE user logged in

Added by Alexander Stehlik about 14 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Category:
Frontend
Target version:
-
Start date:
2010-11-18
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.4
PHP Version:
5.2
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

There is a little bug in the jumpurl_secure feature. It may not affect many people but because it is very specific. To reproduce it, these conditions must be met:

  • Filelinks with jumpurl_secure enabled
  • connection is HTTPS
  • browser is Internet Explorer (all Versions)
  • Backend user is logged in

When clicking on a link the downloads fails with the following error message: "The requested site is either unavailable or cannot be found"

The reason for this problem can be found in the start() method of the t3lib_userAuth object. For BE users the property "sendNoCacheHeaders" is set to TRUE. This results in a bunch of headers that are sent out to the client. This is the one that let's the jumpURL link fail:

header('Pragma: no-cache');

There are two possible solutions:

The first would be to send out a new header in tslib_fe->jumpUrl if connection is HTTPS:
header('Pragma: private');

Another solution would be to check in the t3lib_userAuth if the connection is HTTPS and then decide weather to user "no-cache" or "private".

If you let me know which solution you prefer I can provide a patch.

(issue imported from #M16466)


Files

typo3-16466b-jumpurl_ssl-v2.diff (1.09 KB) typo3-16466b-jumpurl_ssl-v2.diff Administrator Admin, 2011-02-04 11:56

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Story #28743: Add method to send no-cache HTTP headersRejected2011-08-04

Actions
Related to TYPO3 Core - Task #90601: Remove old IE https download related hack in AbstractUserAuthenticationRejected2020-02-29

Actions
Actions #1

Updated by Alexander Stehlik almost 14 years ago

Important! If you want to test this bug you have to make sure, that gzip compression is disabled. Otherwise the error doesn't occur.

I realized, that there is another problem with another header:
Cache-Control: no-cache

The problem is known by microsoft and there is a hot fix for it that seems to work (tested with IE8):
http://support.microsoft.com/kb/323308/en-us

As this bug seems to affect all IE Versions I think it should be fixed in TYPO3. I'll attach a patch that improves the header handling in t3lib_userAuth::start. The patch was tested with IE8, Firefox and Google Chrome.

Actions #2

Updated by Mr. Hudson over 13 years ago

Patch set 1 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

Actions #3

Updated by Mr. Hudson over 13 years ago

Patch set 2 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

Actions #4

Updated by Mr. Hudson over 13 years ago

Patch set 3 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

Actions #5

Updated by Alexander Stehlik over 13 years ago

  • Target version deleted (0)

During testing I realized something else. There is a PHP setting (which seems to be default in Ubuntu), that is called

session.cache_limiter

If this is set to "nocache" (default setting on my system, Ubuntu 11.04) you will also get the error in the Internet Explorer if you use an HTTPS connection.

So when you test this please make sure this is set to an empty string in your php.ini:

session.cache_limiter = 
Actions #6

Updated by Mr. Hudson over 13 years ago

Patch set 4 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

Actions #7

Updated by Mr. Hudson over 13 years ago

Patch set 5 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

Actions #8

Updated by Thorsten Kahler over 13 years ago

  • Category deleted (Communication)
  • Status changed from New to Under Review
  • PHP Version changed from 5.3 to 5.2
  • Complexity set to medium

I came across a similar problem (downloads over HTTPS in IE) (again) today. From what I found your general approach seems correct to me, the details can be discussed in Gerrit.

Actions #9

Updated by Mr. Hudson over 13 years ago

Patch set 6 of change I9ebe84174256263b8b0cae6cf9db58da76985a96 has been pushed to the review server.
It is available at http://review.typo3.org/1417

Actions #10

Updated by Alexander Stehlik over 13 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #11

Updated by Thorsten Kahler over 13 years ago

  • Category set to Frontend
  • Status changed from Resolved to Under Review
  • Assignee set to Thorsten Kahler
  • Target version set to 1305

I had to re-submit the patch because I was irritated by the Gerrit UI :-}

Actions #12

Updated by Oliver Hader over 13 years ago

  • Target version changed from 1305 to 1341
Actions #13

Updated by Mr. Hudson about 13 years ago

Patch set 2 of change I94a3f1b7f05e15cef23519f76127114251a3eabc has been pushed to the review server.
It is available at http://review.typo3.org/4193

Actions #14

Updated by Mr. Hudson about 13 years ago

Patch set 3 of change I94a3f1b7f05e15cef23519f76127114251a3eabc has been pushed to the review server.
It is available at http://review.typo3.org/4193

Actions #15

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I94a3f1b7f05e15cef23519f76127114251a3eabc has been pushed to the review server.
It is available at http://review.typo3.org/6698

Actions #16

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I823f72c143d9e5666db2426a5818b96a76d4c39f has been pushed to the review server.
It is available at http://review.typo3.org/6699

Actions #17

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I814aa8a203ad5fd7cb9404cc6662d1ea0aedc5e8 has been pushed to the review server.
It is available at http://review.typo3.org/6700

Actions #18

Updated by Gerrit Code Review almost 13 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/4193

Actions #19

Updated by Gerrit Code Review almost 13 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/4193

Actions #20

Updated by Gerrit Code Review almost 13 years ago

Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/6698

Actions #21

Updated by Gerrit Code Review almost 13 years ago

Patch set 6 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/4193

Actions #22

Updated by Gerrit Code Review over 12 years ago

Patch set 7 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/4193

Actions #23

Updated by Alexander Stehlik over 12 years ago

  • Status changed from Under Review to Resolved
Actions #24

Updated by Ernesto Baschny over 11 years ago

  • Target version deleted (1341)
Actions #25

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions #26

Updated by Christian Eßl almost 5 years ago

  • Related to Task #90601: Remove old IE https download related hack in AbstractUserAuthentication added
Actions

Also available in: Atom PDF