Feature #45282

Base Distribution - Work Package #45088: Improved REST support

Support for "sessionless authentication"

Added by Bastian Waidelich over 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2013-02-08
Due date:
2013-04-13
% Done:

100%

Estimated time:
108.00 h
PHP Version:
Has patch:
No
Complexity:

Description

Currently Flow relies on a session to be active in at least three places:

  1. \TYPO3\Flow\Security\Aspect\RequestDispatchingAspect::blockIllegalRequestsAndForwardToAuthenticationEntryPoints() calls \TYPO3\Flow\Security\Context::setInterceptedRequest() if an entryPoint is defined. Setting the intercepted request starts a session. This can be worked around by avoiding entryPoint or using requestPatterns to limit them only to certain parts of an application that allow sessions. #45100 might also be a solution for that
  2. \TYPO3\Flow\Security\Authentication\AuthenticationProviderManager::authenticate() emits the authenticatedToken signal after successful authentication which is configured to call \TYPO3\Flow\Session\SessionInterface::renewId()
  3. \TYPO3\Flow\Security\Authentication\AuthenticationProviderManager::isAuthenticated() returns FALSE if no session was started/can be resumed

Related issues

Related to TYPO3.Flow - Feature #45100: RequestDispatchingAspect should check if entry point can handle current requestUnder ReviewChristopher Hlubek2013-02-03

Actions

Also available in: Atom PDF