Bug #63922
closed
Correct handling of session data update in TYPO3 CMS 4.5 LTS
0%
Description
In ticket #19286 a patch for session data updates was discussed and applied.
Sadly enough the patch did not find it's way to the current LTS version 4.5.x
From my point of view such essential fixes should also go into the current LTS branches.
Markus
Updated by Markus Klein over 9 years ago
- Status changed from New to Rejected
I'm sorry, but 4.5 is in "important bugfix"-mode since quite a while.
Obviously this was considered a feature 3 years ago and therefore was only merged into the current master branch.
Backporting things to 4.5 now needs special permission by the Release Manager Ernesto Baschny.
It is more than unlikely that he will accept a new "feature" for 4.5.
I'd recommend to simply apply the patch which you can download easily here: https://review.typo3.org/2761
Updated by Andreas Dörler over 9 years ago
Markus Klein wrote:
I'm sorry, but 4.5 is in "important bugfix"-mode since quite a while.
Obviously this was considered a feature 3 years ago and therefore was only merged into the current master branch.
In my opinion this is not a feature, it is a clear bug.
If there is more than one request to the server at a time, it is possible to loose your session including all session data.
Consider a multistep form with AJAX validation. You've entered data in step one and step two.
On the thrid step you fill the last input field and click the submit button.
If there is a onBlur validation for this field and AJAX validation on click of the button there are two almost simultaneous requests to the server.
(Another case could be that one clicks the Submit Button multiple times [I know this could be prevented too, but the problem still exists in the core]).
What will happen?
One request updates the session data in storeSessionData which deletes the current entry in fe_session_data before inserting a new line without starting a transaction.
If the second request reaches the server in this state, where the entry is already deleted, but the new one is not created yet, Typo3 will create a new Session ID which is than returned to the client.
Et voilà - your form data (i.e. your session) will be lost!
What do you think?
Andreas
Updated by Frank Nägler over 9 years ago
Hi Andreas,
I agree to Markus, the reject is ok in my opinion.
As Markus said, this kind of bugfix is more like a feature and need the permission by Ernesto.
On the other hand, keep in mind, that the support of 4.5 ends in march 2015. This are only 4 month, this means that only important bugfixes like security fixes will find the way into 4.5.
I recommend also more likely to upgrade to 6.2 or apply the patch if it is really important in your case.
Updated by Helmut Hummel over 9 years ago
Andreas Dörler wrote:
Markus Klein wrote:
In my opinion this is not a feature, it is a clear bug.
If there is more than one request to the server at a time, it is possible to loose your session including all session data.
I agree that this change mitigates a possible race condition.
Nevertheless this change will not go into 4.5 any more at this point for the reasons already mentioned by others here, no need to additionally ask Ernesto.