Bug #29274

Regression on session handling for security fix

Added by Ernesto Baschny over 10 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
Frontend
Target version:
Start date:
2011-08-26
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.3
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

After upgrading from 4.3.11 to 4.3.12, an embedded application (run as a TYPO3 extension) did not work anymore. After some research, I discovered it was due to the change introduced in #24456, which moved the call of "session_start()" from a place where it was only called on demand (when doing a challenge/response login) to a place where it is always being called (even on the frontend).

Two issues with this changes:

1) My embedded application for a misfortune also does a session_start. But it also includes lots of Objects into this session. The classes for this objects are loaded by the application before calling session_start(), so PHP can build the objects just fine.

But now when TYPO3 calls a session_start on every hit and very early: the classes of my applications are not loaded yet! Thus the session is filled with "__PHP_Incomplete_Class" objects! The application no longer works.

2) Another issue which happened after this change is that several customer sites began running over quota, simply because every FE hit (even from Google & Co) created new PHP session (files in phptmp). This was not so before and will cause annoyances for bigger sites, which are tuned for fast FE rendering explicitly without Cookies / Sessions.

In my situation the result is worse than the "security gain" obtained by this change. So please consider either reverting it again (also in 4.4 and 4.5) or apply it somewhere else.


Files

session-fix.diff (653 Bytes) session-fix.diff Helmut Hummel, 2011-08-31 23:13

Related issues

Related to TYPO3 Core - Bug #24456: Information disclosure during backend loginClosed2011-01-03

Actions
Related to TYPO3 Core - Bug #28900: All links have Parameter PHPSESSID at first load of website URLClosedManfred Langhammer2011-08-10

Actions
Related to TYPO3 Core - Feature #29750: Pre-Session Hook in t3lib_userauthRejected2011-09-13

Actions
Related to TYPO3 Core - Bug #28694: PHP Warning: session_start()Closed2011-08-03

Actions
Related to TYPO3 Core - Bug #29927: Remove occurences of session_start()Closed2011-09-17

Actions
Has duplicate TYPO3 Core - Bug #28948: Session is always startedClosed2011-08-12

Actions

Also available in: Atom PDF