Project

General

Profile

Actions

Bug #34964

closed

FE Session record is never removed, even if no session data left

Added by Steffen Müller about 12 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-03-17
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

One of the security features in TYPO3 is a changing FE cookie IDs for each request. This mechanism is paused when session data is saved. The problem is that there is no proper way to remove session data. Instead, entries are saved without valid data. So even if there is no more session data, the cookie stays unchanged, which undermines a security feature.

Flashmessages demonstrate the issue. Once a flashmessages was set in session data, it never gets removed. Even if it was delivered and flushed.

Invalidation of FE session data happens in tslib_feuserauth::storeSessionData()

...
$insertFields = array (
  'hash' => $this->id,
  'content' => serialize($this->sesData),
  'tstamp' => $GLOBALS['EXEC_TIME'],
);
$this->removeSessionData();
$GLOBALS['TYPO3_DB']->exec_INSERTquery('fe_session_data', $insertFields);
...

$this->sesData is NULL, but serialize($this->sesData) results in 'N;'.
However, even if it was NULL, the session data is never removed. There is no check for empty data.

Solution is to check for $data===NULL in setKey(), then unset the key and check for empty $this->sesData before writing to DB.


Files

34964_4-5.diff (2.74 KB) 34964_4-5.diff Steffen Müller, 2012-03-17 15:52
T3X_demo34964-0_0_0-z-201203171606.t3x (94.5 KB) T3X_demo34964-0_0_0-z-201203171606.t3x Steffen Müller, 2012-03-17 16:12

Related issues 4 (0 open4 closed)

Related to TYPO3 Core - Bug #45570: fe_session Data Change external payment checkoutClosed2013-02-18

Actions
Related to TYPO3 Core - Bug #45578: storeSessionData not working anymore with 4.5.23Rejected2013-02-18

Actions
Related to TYPO3 Core - Bug #45708: feuserauth storeSessionData fails to save Data to DB in "ses"-modeClosed2013-02-21

Actions
Related to TYPO3 Core - Bug #53598: Select/Delete fe_sessions twice per requestClosedAlexander Opitz2013-11-13

Actions
Actions

Also available in: Atom PDF