Project

General

Profile

Actions

Bug #75911

closed

modal box to re-enter password after automatic system-logout from BE does not work - password is considered empty

Added by Roland Reichenauer about 8 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Start date:
2016-04-25
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
5.5
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

After automatic system-logout from BE the login procedure strikes by entering the consisting password. A new login is only possible by logout and afterwards completely login with username and password. If this procedure is intended it makes no sense offering only a password after system-logout.


Files

relogin1.jpg (81.2 KB) relogin1.jpg Roland Reichenauer, 2016-05-23 15:20
relogin2.jpg (30.8 KB) relogin2.jpg Roland Reichenauer, 2016-05-23 15:20

Related issues 4 (0 open4 closed)

Related to TYPO3 Core - Bug #76298: Backend login refresh failesClosed2016-05-25

Actions
Related to TYPO3 Core - Bug #77343: loginSecurityLevel doesn't holdRejectedStefan Froemken2016-08-02

Actions
Related to TYPO3 Core - Bug #78299: EXT:backend has a hard dependency to EXT:rsaauth ClosedFrank N├Ągler2016-10-14

Actions
Has duplicate TYPO3 Core - Bug #77373: Refresh Login does not accept correct passwordClosed2016-08-03

Actions
Actions #1

Updated by Riccardo De Contardi about 8 years ago

  • Status changed from New to Needs Feedback

Roland, can you explain us better what goes wrong? The re-login does not work or do you think there should be a different behavior?

Correct me if I am wrong, you are talking about the re-login modal that pops up when there is no activity on the CMS for a period of time (an hour, I think).
That re-login modal offers you to enter only your password because it is implicit that you would want to re-login with the same user you are currently using.
If you want to access with a different user, then you have to do an explicit logout.

Updated by Roland Reichenauer about 8 years ago

I talk about the re-login modal that pops up when there is no activity on the CMS for a period of time (an hour, I think).
That re-login modal offers me to enter only my password because it is implicit that I would want to re-login with the same user I'm currently using. If I do so I get the error message of the enclosed first picture. Later in Backend-Log I see the message of the enclosed second picture.

Actions #3

Updated by Riccardo De Contardi about 8 years ago

  • Subject changed from dubious behaviour by relogin after automatic system-logout from BE to modal box to re-enter password after automatic system-logout from BE does not work - password is considered empty
  • Status changed from Needs Feedback to New
  • Target version changed from 7.6.5 to Candidate for patchlevel
Actions #4

Updated by Riccardo De Contardi about 8 years ago

The issue is still present on 7.6.7, but is not always triggered...

Actions #5

Updated by Riccardo De Contardi about 8 years ago

I report here the findings by Stefan Berger on issue #76298:

when a valid backend session expires the following login refresh form using a valid password fails with the default error message notice "Password not correct".
Further debuggings at that state shows, that the function isAuthorizedBackendSession in \TYPO3\CMS\Backend\AjaxLoginHandler::loginAction returns null because the properties
$GLOBALS['BE_USER']->user of an existing $GLOBALS['BE_USER'] object are null.
In order to test that case, you can expire your backend session and then try to login

Actions #6

Updated by Robert Breithuber about 8 years ago

i can confirm this, this is a really nasty bug as it drives users insane when entering the correct password multiple times and every time getting the message "invalid password".

i wish this will be fixed asap. if anyone has a workaround until this is fixed, this would be great!

Actions #7

Updated by Stefan Froemken almost 8 years ago

  • Status changed from New to Accepted

I can confirm that bug and it is there over month, month and months.
The password was sended in plaintext, but TYPO3 is configured to use RSA. So, if AuthenticationService does not find a starting "rsa:" in password you will not be logged in.
Maybe we should encrypt the password via JavaScript/AJAX before sending it to AuthenticationService.

Actions #8

Updated by Stefan Froemken almost 8 years ago

OK. What about following?
The BE-User session exists in Cookie and is valid. Login with plaintext password works.
BE-User session exists, but is invalid over time. A new session will be created. The login procedure requires an encrypted password with starting "rsa:" now. User record could not be fetched and fails with "wrong password"

Actions #9

Updated by Helmut Hummel almost 8 years ago

  • Status changed from Accepted to Needs Feedback

Can anybody of the reporters can provide a clean step by step to reproduce this issue?

thanks!

Every time I look into this or similar issues, I fail to reproduces and give up.

Actions #10

Updated by Helmut Hummel almost 8 years ago

Riccardo De Contardi wrote:

Further debuggings at that state shows, that the function isAuthorizedBackendSession in \TYPO3\CMS\Backend\AjaxLoginHandler::loginAction returns null because the properties

This just means that re-login failed, which is stated in the report, but it the key is to find why re-login failed.

Actions #11

Updated by Helmut Hummel almost 8 years ago

I can confirm that bug and it is there over month, month and months.

Steps to reproduce would help :)

Maybe we should encrypt the password via JavaScript/AJAX before sending it to AuthenticationService

This actually happens. If it does not happen for you, steps to reproduce would be great.

Actions #12

Updated by David Bruchmann almost 8 years ago

I've the problem in Windows, haven't tried yet in Linux.
In the console I can see that the password is transferred in clear-text, that's ok as I never made any adjustments.
From the server I can see the answer in the console too and it's {"login":{"success":false}}.
Login from the Login-site is working.
In version 6.2. the same scenario is working even from the refresh-login-modal-box.

Actions #13

Updated by Helmut Hummel almost 8 years ago

Thanks for the feedback!

David Bruchmann wrote:

I've the problem in Windows

That is very good to know. Just to be sure: this means TYPO3 is hosted on Windows AND you are accessing it with a browser, as well on Windows?

In the console I can see that the password is transferred in clear-text,

OK

that's ok as I never made any adjustments.

Wether that is OK or not, depends on your system settings.

Do you have the extension rsaauth enabled?
What is the configuration value of [BE][loginSecurityLevel]
What browser (including version) are you using? Does in happen in other browsers, too?

From the server I can see the answer in the console too and it's {"login":{"success":false}}.

If rsa is enabled and the password is transmitted clear text, then it is expected that authentication fails.

Login from the Login-site is working.

OK.

In version 6.2. the same scenario is working even from the refresh-login-modal-box.

OK. From what I read, it seems, that this is browser issue within certain browsers, because the only thing changed here is the JavaScript that encrypts the password (which is obviously not triggered in your case.

So please post your OS, browser and version here and also try in a different browser, just to cross check.

Actions #14

Updated by Jigal van Hemert almost 8 years ago

Tried the same local 7.6-dev BE with the same BE user on a Win10 machine in FF 47.0.1 and Chrome 52.0.2743.116 m
In FF the order was rsa init, login refresh; in chrome it was the other way around. Relogin failed on FF, succeeded in Chrome.

Actions #15

Updated by Gerrit Code Review almost 8 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 2 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49478

Actions #16

Updated by Gerrit Code Review almost 8 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49482

Actions #17

Updated by Helmut Hummel almost 8 years ago

Please check out https://review.typo3.org/49482 if it fixes it for you

Actions #18

Updated by Gerrit Code Review almost 8 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49482

Actions #19

Updated by Gerrit Code Review almost 8 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49482

Actions #20

Updated by Gerrit Code Review almost 8 years ago

Patch set 3 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49478

Actions #21

Updated by Anonymous almost 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #22

Updated by Benni Mack almost 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF