Project

General

Profile

Actions

Task #79164

closed

Remove user agent locking for sessions

Added by Mads Lønne Jensen almost 8 years ago. Updated almost 8 years ago.

Status:
Rejected
Priority:
Could have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-01-05
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Sprint Focus:

Description

It is currently possible to lock a user session to a user agent using $GLOBALS['TYPO3_CONF_VARS'][$loginType]['lockHashKeyWords'].

However, user agents are no means of security and can be trivially spoofed by an attacker.
As of TYPO3 8.5 only 'useragent' is accepted in $GLOBALS['TYPO3_CONF_VARS'][$loginType]['lockHashKeyWords'], which can be considered removed.

IP protection should not be affected by this

Actions #1

Updated by Georg Ringer almost 8 years ago

  • Status changed from New to Rejected

Thanks for creating the issue. You are right that this information can be found out and spoofed.

If you don't need it, feel free to remove the useragent string from the setting. We still like to keep it as last security measurment.

Actions

Also available in: Atom PDF