Bug #75911
closed
modal box to re-enter password after automatic system-logout from BE does not work - password is considered empty
100%
Description
After automatic system-logout from BE the login procedure strikes by entering the consisting password. A new login is only possible by logout and afterwards completely login with username and password. If this procedure is intended it makes no sense offering only a password after system-logout.
Files
Updated by Riccardo De Contardi over 8 years ago
- Status changed from New to Needs Feedback
Roland, can you explain us better what goes wrong? The re-login does not work or do you think there should be a different behavior?
Correct me if I am wrong, you are talking about the re-login modal that pops up when there is no activity on the CMS for a period of time (an hour, I think).
That re-login modal offers you to enter only your password because it is implicit that you would want to re-login with the same user you are currently using.
If you want to access with a different user, then you have to do an explicit logout.
Updated by Roland Reichenauer over 8 years ago
- File relogin1.jpg relogin1.jpg added
- File relogin2.jpg relogin2.jpg added
I talk about the re-login modal that pops up when there is no activity on the CMS for a period of time (an hour, I think).
That re-login modal offers me to enter only my password because it is implicit that I would want to re-login with the same user I'm currently using. If I do so I get the error message of the enclosed first picture. Later in Backend-Log I see the message of the enclosed second picture.
Updated by Riccardo De Contardi over 8 years ago
- Subject changed from dubious behaviour by relogin after automatic system-logout from BE to modal box to re-enter password after automatic system-logout from BE does not work - password is considered empty
- Status changed from Needs Feedback to New
- Target version changed from 7.6.5 to Candidate for patchlevel
Updated by Riccardo De Contardi over 8 years ago
The issue is still present on 7.6.7, but is not always triggered...
Updated by Riccardo De Contardi over 8 years ago
I report here the findings by Stefan Berger on issue #76298:
when a valid backend session expires the following login refresh form using a valid password fails with the default error message notice "Password not correct".
Further debuggings at that state shows, that the function isAuthorizedBackendSession in \TYPO3\CMS\Backend\AjaxLoginHandler::loginAction returns null because the properties
$GLOBALS['BE_USER']->user of an existing $GLOBALS['BE_USER'] object are null.
In order to test that case, you can expire your backend session and then try to login
Updated by Robert Breithuber over 8 years ago
i can confirm this, this is a really nasty bug as it drives users insane when entering the correct password multiple times and every time getting the message "invalid password".
i wish this will be fixed asap. if anyone has a workaround until this is fixed, this would be great!
Updated by Stefan Froemken over 8 years ago
- Status changed from New to Accepted
I can confirm that bug and it is there over month, month and months.
The password was sended in plaintext, but TYPO3 is configured to use RSA. So, if AuthenticationService does not find a starting "rsa:" in password you will not be logged in.
Maybe we should encrypt the password via JavaScript/AJAX before sending it to AuthenticationService.
Updated by Stefan Froemken over 8 years ago
OK. What about following?
The BE-User session exists in Cookie and is valid. Login with plaintext password works.
BE-User session exists, but is invalid over time. A new session will be created. The login procedure requires an encrypted password with starting "rsa:" now. User record could not be fetched and fails with "wrong password"
Updated by Helmut Hummel over 8 years ago
- Status changed from Accepted to Needs Feedback
Can anybody of the reporters can provide a clean step by step to reproduce this issue?
thanks!
Every time I look into this or similar issues, I fail to reproduces and give up.
Updated by Helmut Hummel over 8 years ago
Riccardo De Contardi wrote:
Further debuggings at that state shows, that the function isAuthorizedBackendSession in \TYPO3\CMS\Backend\AjaxLoginHandler::loginAction returns null because the properties
This just means that re-login failed, which is stated in the report, but it the key is to find why re-login failed.
Updated by Helmut Hummel over 8 years ago
I can confirm that bug and it is there over month, month and months.
Steps to reproduce would help :)
Maybe we should encrypt the password via JavaScript/AJAX before sending it to AuthenticationService
This actually happens. If it does not happen for you, steps to reproduce would be great.
Updated by David Bruchmann over 8 years ago
I've the problem in Windows, haven't tried yet in Linux.
In the console I can see that the password is transferred in clear-text, that's ok as I never made any adjustments.
From the server I can see the answer in the console too and it's {"login":{"success":false}}.
Login from the Login-site is working.
In version 6.2. the same scenario is working even from the refresh-login-modal-box.
Updated by Helmut Hummel over 8 years ago
Thanks for the feedback!
David Bruchmann wrote:
I've the problem in Windows
That is very good to know. Just to be sure: this means TYPO3 is hosted on Windows AND you are accessing it with a browser, as well on Windows?
In the console I can see that the password is transferred in clear-text,
OK
that's ok as I never made any adjustments.
Wether that is OK or not, depends on your system settings.
Do you have the extension rsaauth enabled?
What is the configuration value of [BE][loginSecurityLevel]
What browser (including version) are you using? Does in happen in other browsers, too?
From the server I can see the answer in the console too and it's {"login":{"success":false}}.
If rsa is enabled and the password is transmitted clear text, then it is expected that authentication fails.
Login from the Login-site is working.
OK.
In version 6.2. the same scenario is working even from the refresh-login-modal-box.
OK. From what I read, it seems, that this is browser issue within certain browsers, because the only thing changed here is the JavaScript that encrypts the password (which is obviously not triggered in your case.
So please post your OS, browser and version here and also try in a different browser, just to cross check.
Updated by Jigal van Hemert over 8 years ago
Tried the same local 7.6-dev BE with the same BE user on a Win10 machine in FF 47.0.1 and Chrome 52.0.2743.116 m
In FF the order was rsa init, login refresh; in chrome it was the other way around. Relogin failed on FF, succeeded in Chrome.
Updated by Gerrit Code Review over 8 years ago
- Status changed from Needs Feedback to Under Review
Patch set 2 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49478
Updated by Gerrit Code Review over 8 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49482
Updated by Helmut Hummel over 8 years ago
Please check out https://review.typo3.org/49482 if it fixes it for you
Updated by Gerrit Code Review over 8 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49482
Updated by Gerrit Code Review over 8 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49482
Updated by Gerrit Code Review about 8 years ago
Patch set 3 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49478
Updated by Anonymous about 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 5d99ff2fb289e25a5b9527df0a4de59e68f2a8ad.
Updated by 
