Project

General

Profile

Actions

Bug #37780

closed

Possibility to get duplicate sessionId for different user

Added by Sven Weiss over 12 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2012-06-06
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

It is possible to get the same sessionId for different users. It actually happened on a high-traffic-site and I could reproduce it on a local test-system with some tweaks in the Core. I analyzed the Core and found out that the "new created sessionId" with createSessionId() is never been checked again the session table/s to found out if it is used for an other user/session. If you get one sessionId which is already defined for an other user/session then your browser keeps it because the session exists and then you have X users with one sessionId.

Now I created a modified version of createSessionId() in t3lib/class.t3lib_userauth.php to check every generated sessionId against the session table/s:
public function createSessionId() {
$createNewSessionId = true;
while($createNewSessionId) {
$sessionId = t3lib_div::getRandomHexString($this->hash_length);
$createNewSessionId = $this->isExistingSessionRecord($sessionId);
}
return $sessionId;
}

It is not the best solution but it works for a hot-fix.
I also found some very old bug tickets which are closed or resolved which are also talking about sessionId problems.

I can really say that it happens! (last time yesterday on a live system, bad!)


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Feature #73050: Add a CSPRNG to TYPO3Closed2016-01-31

Actions
Actions

Also available in: Atom PDF