Task #55549
closedOnly set FE user cookie if session data or user logged in
100%
Description
Currently the FE session cookie is set on every request
and since 4.2 the sessionID is generated again on every
request unless the user is logged in. This is implemented
for avoiding the security problem of the
session fixation (see #19831).
If an installation does not use FE session cookies at all,
an option (TYPO3_CONF_VARS->FE->dontSetCookie)
never sets the cookie.
As the current behavior for non-logged-in FE calls
is not usable, the behaviour is changed to only set
the cookie if the user is logged in or the session data
is modified. The last example is helpful for websites
with e.g. a shopping cart on non-logged-in pages.
Currently, if an extension is trying to implement the
latter, the extension needs to hook or XCLASS the
FrontendUserAuthentication class to set the cookie
whenever needed.
Additionally, the security problem still exists if the
cookie is not set by TYPO3 itself, that's why the
cookie can only be set if there is a valid entry in
fe_user_sessions.
if using external caching (e.g. reverse proxies),
a "unneeded" cookie is always set currently,
which extensions like EXT:moc_varnish or
EXT:cachinfo mock to only set the cookie
if needed.
The attached patch removes the default-setting
of a cookie in the frontend, and only triggers
the setcookie() function when sessionData is
added or a user is logged-in.
Updated by Gerrit Code Review over 10 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27230
Updated by Gerrit Code Review over 10 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27230
Updated by Gerrit Code Review over 10 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27230
Updated by Gerrit Code Review over 10 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27230
Updated by Gerrit Code Review over 10 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27230
Updated by Gerrit Code Review over 10 years ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27230
Updated by Gerrit Code Review over 10 years ago
Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27230
Updated by Benni Mack over 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 4d25aee5587b167e1676c8e59147b13b18a9a02d.
Updated by Riccardo De Contardi almost 7 years ago
- Status changed from Resolved to Closed