Bug #43110

FlowSession: renewId() looses data of existing session

Added by Robert Lemke about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
Category:
Session
Start date:
2012-11-19
Due date:
% Done:

100%

PHP Version:
5.3
Has patch:
No
Complexity:
medium

Description

Using FlowSession, on renewing the session identifier (for example after an authenticate() call), some session data seems to get lost, most importantly the security context.

This is due to the current implementation of renewId() which loads (ie. unserializes) all current session data in order to store it to cache entries with the new session id. This effectively overwrites any security context or other session-scoped object currently in memory with the state found in the old cache entry.

Associated revisions

Revision 1b6267f7 (diff)
Added by Robert Lemke about 7 years ago

[BUGFIX] FlowSession: Fixed renewId()

This patch provides a new implementation of FlowSession's renewId()
method. It previously loaded all data from the old cache entry in order
to write it into a cache entry with the new session identifier. This
effectively overwrote any existing session-scoped object which existed
in the old cache data.

The new implementation uses a session identifier independent internal
storage identifier which doesn't change on renewing the public session
identifier. This way we don't need to move around session data, but
can simply store a new mapping between session id and storage id.

This patch also lets the HTTP Request store only the baseUri instead of
the whole settings array which leads to a smaller footprint and less
information stored in a session (as the current request is, in most
cases, part of the serialized session data).

Change-Id: I1e9fc54e7a9a3170f6343378f652705535f68969
Resolves: #43110
Releases: 1.2

History

#1 Updated by Gerrit Code Review about 7 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/16575

#2 Updated by Robert Lemke about 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF