Bug #58713: Failed feuser login removes the existing session data - TYPO3 Core - TYPO3 Forge

Custom queries

12 LTS
Accessibility
Dashboard issues
Easy tasks
Extbase Issues
FAL Issues
FAL Sprint 2023
Hierarchical Issues
Issues reported for v11
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
Most wanted Bugfixes
Most wanted Features
My open issues
New & Unassigned
No feedback within 90 days
Open Bugs
Open issues of 10
Page Tree Regressions after 2020-07-28
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (1)

Markus Klein

Actions

Copy link

Bug #58713

closed

Failed feuser login removes the existing session data

Added by Tommy Bley almost 10 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Must have

Assignee:

Category:

felogin

Target version:

Start date:

2014-05-12

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

6.2

PHP Version:

5.3

Tags:

Complexity:

medium

Is Regression:

Sprint Focus:

Description

In the new version of Typo3 6.2.2, a fail login in the frontend with feuser destroy the fe_typo_user cookie and this destroyed my user session

Related issues 2 (0 open — 2 closed)

Related to TYPO3 Core - Bug #57751: Felogin session not set

Closed

Markus Klein

2014-04-08

Actions

Related to TYPO3 Core - Bug #59614: The property newSessionID is used in a wrong context in AbstractUserAuthentication

Closed

2014-06-16

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Markus Klein almost 10 years ago

Status changed from New to Accepted

Easiest way to reproduce¶

Click on the forgot password link (fe cookie is created)
Click on the back to login link (fe cookie still there)
Let a login fail
Notice the cookie is gone

What happens in the background¶

When the cookie is first set, its id is chosen randomly.
On login attempts a former session (but not the session data!) is discarded and the cookie is unset, I guess for security reasons.

If the login succeeds a new session is created (but with the same id, as the id was present from the cookie beforehand) and the sessions data
is preserved as the session id is now existing again.
If the login fails, no cookie is set anymore and the session data is lost forever since the next login attempt will generate a new id.

Actions

Copy link

Updated by Markus Klein almost 10 years ago

Complexity set to medium

Actions

Copy link

Updated by Markus Klein almost 10 years ago

Subject changed from Fail Login with feuser delete the fe_typo_user cookie to Failed feuser login removes the existing session data

Actions

Copy link

Updated by Gerrit Code Review almost 10 years ago

Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30485

Actions

Copy link

Updated by Gerrit Code Review almost 10 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30485

Actions

Copy link

Updated by Gerrit Code Review almost 10 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30485

Actions

Copy link

Updated by Gerrit Code Review almost 10 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30485

Actions

Copy link