Task #83212
closedDocumentation for impacts with enabled honeypot and site caching
100%
Description
\TYPO3\CMS\Frontend\Controller\TyposcriptFrontendController->isUserOrGroupSet() checks if $GLOBALS['TSFE']->fe_user->user is an array, but this works only if nowhere in the system, data is stored with TYPO3 session handling.
$GLOBALS['TSFE']->fe_user->setKey();
$GLOBALS['TSFE']->fe_user->storeSessionData();
This stores some "ses_xx" keys in $GLOBALS['TSFE']->fe_user->user array. I'm trying to use EXT:staticfilecache which checks for frontenduser with this method and it returns true on every page, because ext:form stores some data in sessions. I'm pretty sure this is not a bug in EXT:staticfilecache.
I used a clean TYPO3 instance only with sysext, EXT:staticfilecache and a fluidtemplate to debug it.
TYPO3 8.7.8
PHP 7.0
Updated by Tobias Pfender almost 7 years ago
This also affects \TYPO3\CMS\Frontend\Controller\TyposcriptFrontendController->isStaticCacheble() and This also affects \TYPO3\CMS\Frontend\Controller\TyposcriptFrontendController->sendCacheHeaders()
Updated by Benni Mack almost 7 years ago
- Category changed from Frontend to Form Framework
Tobias Pfender wrote:
This also affects \TYPO3\CMS\Frontend\Controller\TyposcriptFrontendController->isStaticCacheble() and This also affects \TYPO3\CMS\Frontend\Controller\TyposcriptFrontendController->sendCacheHeaders()
The behaviour is correct, however EXT:form is adding session data on a page with a form plugin, so this is a killer "out-of-the-core". The rest of the behaviour is correct - e.g. an extension adding shopping cart functionality creates an (anonymous) session should never do static caching.
Updated by Ralf Zimmermann almost 7 years ago
If you use the honeypot feature (enabled by default), some data will be stored within the session (only here uses ext: form session data).
One solution could be to disable it.
Within your form definition:
type: Form identifier: fooForm label: 'foo' renderingOptions: honeypot: enable: false renderables: ...
or within your form setup
TYPO3: CMS: Form: prototypes: standard: formElementsDefinition: Form: renderingOptions: honeypot: enable: false
@Björn Jacob We should add a note into the docs.
Updated by Ralf Zimmermann over 6 years ago
- Related to Epic #82340: EXT:form - improve documentation added
Updated by Ralf Zimmermann over 6 years ago
- Tracker changed from Bug to Task
- Subject changed from TyposcriptFrontendController->isUserOrGroupSet() is using wrong condition to check if fe_user is logged in to Documentation for impacts with enabled honeypot and site caching
Updated by Björn Jacob over 6 years ago
- Sprint Focus changed from Remote Sprint to On Location Sprint
Updated by Björn Jacob over 6 years ago
- Sprint Focus changed from On Location Sprint to Remote Sprint
Updated by Gerrit Code Review over 6 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56983
Updated by Gerrit Code Review over 6 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56983
Updated by Gerrit Code Review over 6 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56983
Updated by Gerrit Code Review over 6 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56988
Updated by Björn Jacob over 6 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset d3cae300dd5e9842dfec89e75f64241e5873d1d4.