Bug #34964
closed
FE Session record is never removed, even if no session data left
100%
Description
One of the security features in TYPO3 is a changing FE cookie IDs for each request. This mechanism is paused when session data is saved. The problem is that there is no proper way to remove session data. Instead, entries are saved without valid data. So even if there is no more session data, the cookie stays unchanged, which undermines a security feature.
Flashmessages demonstrate the issue. Once a flashmessages was set in session data, it never gets removed. Even if it was delivered and flushed.
Invalidation of FE session data happens in tslib_feuserauth::storeSessionData()
...
$insertFields = array (
'hash' => $this->id,
'content' => serialize($this->sesData),
'tstamp' => $GLOBALS['EXEC_TIME'],
);
$this->removeSessionData();
$GLOBALS['TYPO3_DB']->exec_INSERTquery('fe_session_data', $insertFields);
...
$this->sesData is NULL, but serialize($this->sesData) results in 'N;'.
However, even if it was NULL, the session data is never removed. There is no check for empty data.
Solution is to check for $data===NULL in setKey(), then unset the key and check for empty $this->sesData before writing to DB.
Files
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by