Bug #28948

Session is always started

Added by Christopher Hlubek over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2011-08-12
Due date:
% Done:

0%

TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

We have severe problems with fb_magento after a recent change in TYPO3 4.5.4. The problem is, that the session is started before Magento is initialized.

I don't see any option in TYPO3 to disable the call to session_start or the FE user initialization at all.

I consider this as a bug, since in some setups you don't want a PHP session (e.g. websites without FE users and session storage) for performance reasons.


Related issues

Related to TYPO3 Core - Bug #28694: PHP Warning: session_start() Closed 2011-08-03
Related to TYPO3 Core - Bug #24456: Information disclosure during backend login Closed 2011-01-03
Duplicates TYPO3 Core - Bug #29274: Regression on session handling for security fix Closed 2011-08-26

History

#1 Updated by Jigal van Hemert over 8 years ago

  • Status changed from New to Needs Feedback

This change was part of a security update. I don't think it will be reverted.

I don't see the problem reported in the typogento bugtracker; in fact there isn't much activity there (latest version is over a year old and that means that there have been new TYPO3 major versions since then).

I don't consider it a bug that TYPO3 starts a session for a user who is not logged in. The problem is probably within the extension.

Can you provide more information why exactly the extension has to rely on the fact that no PHP session was started?

#2 Updated by Thorsten Kahler over 8 years ago

  • Status changed from Needs Feedback to Accepted
  • Target version set to 4.5.6

Jigal van Hemert wrote:

I don't consider it a bug that TYPO3 starts a session for a user who is not logged in. The problem is probably within the extension.

No, it's not:
  1. sessions are now started even in command line mode
  2. it's not possible to have "cookie free domains" (append the session ID to the URL parameters is not an option for security reasons)

Since you both mention a change but don't name it i guess you're talking about 281713c3?

#3 Updated by Helmut Hummel over 8 years ago

  • Status changed from Accepted to Closed

Closed as duplicate

Also available in: Atom PDF