Actions
Task #79164
closed
Remove user agent locking for sessions
Status:
Rejected
Priority:
Could have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-01-05
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Sprint Focus:
Description
It is currently possible to lock a user session to a user agent using $GLOBALS['TYPO3_CONF_VARS'][$loginType]['lockHashKeyWords'].
However, user agents are no means of security and can be trivially spoofed by an attacker.
As of TYPO3 8.5 only 'useragent' is accepted in $GLOBALS['TYPO3_CONF_VARS'][$loginType]['lockHashKeyWords'], which can be considered removed.
IP protection should not be affected by this
Updated by Georg Ringer almost 8 years ago
- Status changed from New to Rejected
Thanks for creating the issue. You are right that this information can be found out and spoofed.
If you don't need it, feel free to remove the useragent string from the setting. We still like to keep it as last security measurment.
Actions