Feature #35965

Session shouldn't start automatically

Added by Peter Russ over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2012-04-13
Due date:
% Done:

100%

PHP Version:
Has patch:
No
Complexity:
easy

Description

By default session handling is started automatically. This isn't useful when it comes to server/server communication.
Places where it should be fixed:
TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager line 130 * @FLOW3\Session(autoStart=true)
and
Package line 46/47
$dispatcher->connect('TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager', 'authenticatedToken', 'TYPO3\FLOW3\Session\SessionInterface', 'renewId');
$dispatcher->connect('TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager', 'loggedOut', 'TYPO3\FLOW3\Session\SessionInterface', 'destroy');

Associated revisions

Revision ab61bd44 (diff)
Added by Andreas Förthner over 7 years ago

[!!!][TASK] Change session autostart handling for authentication providers

The session autostart annotation is set at the
providers, not at the authentication manager. By
this every provider can decide on its own, if a
session is needed or not.

Also adds a safeguard in the Session Logging Aspect
to prevent errors while trying to log renewId()
even though the session was not started yet.

Change-Id: Idea18525c2ac19f0d56b7ebb3b314009a2e93461
Releases: 1.1
Resolves: #35965

Revision 69c5912c (diff)
Added by Robert Lemke over 7 years ago

[BUGFIX] Assure fresh session for functional tests

The changes done to resolve #35965 came with a functional
test that worked fine when run in isolation but failed when
run with other tests that would start a session.

This patch moves the $session->destroy() call in the
base test case from the tearDown() to the setUp()
method and fixes the behavior of destroy() in the
TransientSession which did not reset the "started"
flag.

Change-Id: I2fd85d24ef7456c84c9b36386a206c4c86a117bc
Related: #35965
Releases: 1.1

Revision a2033af0 (diff)
Added by Karsten Dambekalns over 7 years ago

[BUGFIX] Adjust TransientSession unit test to recent change

The change in TransientSession to close the session when destroy()
is called needed to be reflected in the unit test.

Change-Id: I4bb7b128ed934afa08223eb3aeeae2f847f918a4
Related: #35965
Releases: 1.1

History

#1 Updated by Andreas Förthner over 7 years ago

  • Project changed from TYPO3 Flow Base Distribution to TYPO3.Flow

#2 Updated by Andreas Förthner over 7 years ago

  • Category set to Security
  • Has patch set to No
  • Complexity set to easy

#3 Updated by Gerrit Code Review over 7 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10469

#4 Updated by Robert Lemke over 7 years ago

Just for the record: it's not correct that sessions are generally started automatically - the "autostart" feature exists exactly for having more control over that behavior. What's right though is that the authenticate() method is starting a session because I did not consider authentication mechanisms which don't need sessions.

#5 Updated by Gerrit Code Review over 7 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10469

#6 Updated by Gerrit Code Review over 7 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10469

#7 Updated by Andreas Förthner over 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF