Bug #84503

Streamline RsaAuth login behavior

Added by Oliver Hader about 3 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2018-03-21
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Short summary

  • regression in TYPO3 v7.6.25 and v8.7.11 when trying to log into the backend using a regular workflow (fill form, click login button)
  • basically affects Firefox (except macOS version) browsers - e.g. Chrom is not affected by this misbehavior

TYPO3 releases

Updated TYPO3 versions 7.6.26 and 8.7.12 (to substitute 7.6.25 and 8.7.11) are planned to be released on Thursday, March 22nd, 2018.

Side note on RsaAuth

System extension "rsaauth" provides a public/private key encryption mechanism to for user credentials that are submitted using an insecure channel (e.g. plain HTTP on port 80). In case a web site is using secure channels (e.g. HTTPS on port 443) the system extension "rsaauth" can be disabled completely in combination with changing the loginSecurityLevel setting in the install tool for frontend and backend from rsa to normal - RsaAuth is superfluous in case the communication to the server is secured via TLS (HTTPS) already.

In general it's suggested to use HTTPS instead of RsaAuth!

Explanation

The fix for issue #76120 - which was targeted to work-around situations when a login form has two submit buttons with different meanings/actions - introduce a regression which lead to the situation that users could not login anymore into the TYPO3 backend.
The mentioned regression was handled in issue #84253 which introduced a work-around for the TYPO3 backend part.

A short summary what happened in the JavaScript part handling the login process:
  • extensions like sr_feuser_register combine different actions by using different name attributes on submit buttons in the same containing form element - in general using different endpoint actions would be suggested instead of combining the meaning in the same form
  • the mentioned first work-around change tries to preserve the name attribute of the clicked button to be send with the very same form - this was necessary since the button gets disabled once it was clicked (to prevent resubmission and clicking multiple times) - disabled form element are not delivered in the application/x-www-form-urlencoded part of the HTTP message to the server
  • the change that introduced the first regression was focusing on button that has been clicked by checking the :focus state of the button and tried to click that again - since the button already became disabled, it also cannot be clicked again and wont actually send the form contents to the server
  • the behavior basically affects FIrefox (excluding macOS versions, see below)
To streamline the behavior the following has to be done:
  • revert both changes, the one that introduced the regression and the other that fixed the regression in the backend scope
  • (optionally) re-implement the initial bug fix for #76120 without touching the backend part and only focussing carefully on the frontend part

Related issues

Related to TYPO3 Core - Bug #76120: rsaauth does not submit the name of the submit-buttonRejected2016-05-10

Actions
Related to TYPO3 Core - Bug #84253: BE Login with 8.7.11 and Firefox Quantum Browser Version 59.0 not possible anymoreClosedAndreas Fernandez2018-03-14

Actions
Related to TYPO3 Core - Bug #84308: Submit of RSA encrypted form not working with type="image" in TYPO3 8.7.11ClosedMarkus Klein2018-03-15

Actions
#1

Updated by Oliver Hader about 3 years ago

  • Description updated (diff)
#2

Updated by Oliver Hader about 3 years ago

  • Related to Bug #76120: rsaauth does not submit the name of the submit-button added
#3

Updated by Oliver Hader about 3 years ago

  • Related to Bug #84253: BE Login with 8.7.11 and Firefox Quantum Browser Version 59.0 not possible anymore added
#4

Updated by Oliver Hader about 3 years ago

  • Description updated (diff)
#5

Updated by Gerrit Code Review about 3 years ago

  • Status changed from Accepted to Under Review

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56388

#6

Updated by Gerrit Code Review about 3 years ago

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56389

#7

Updated by Gerrit Code Review about 3 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56388

#8

Updated by Gerrit Code Review about 3 years ago

Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56389

#9

Updated by Gerrit Code Review about 3 years ago

Patch set 4 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56389

#10

Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56393

#11

Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56394

#12

Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56395

#13

Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56396

#14

Updated by Oliver Hader about 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Reverts

#15

Updated by Gerrit Code Review about 3 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#16

Updated by Gerrit Code Review about 3 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#17

Updated by Guido S. about 3 years ago

  • Has duplicate Bug #84498: BE login button not working in Firefox added
#18

Updated by Gerrit Code Review about 3 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#19

Updated by Gerrit Code Review about 3 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#20

Updated by Gerrit Code Review about 3 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#21

Updated by Markus Klein about 3 years ago

  • Related to Bug #84308: Submit of RSA encrypted form not working with type="image" in TYPO3 8.7.11 added
#22

Updated by Markus Klein about 3 years ago

  • Has duplicate deleted (Bug #84498: BE login button not working in Firefox)
#23

Updated by Oliver Hader about 3 years ago

  • Description updated (diff)
#24

Updated by Oliver Hader about 3 years ago

  • Description updated (diff)
#25

Updated by Oliver Hader about 3 years ago

  • Description updated (diff)
#26

Updated by Oliver Hader over 2 years ago

  • Status changed from Under Review to Rejected

RSA auth is only necessary in non-SSL setups. EXT:rsaauth won't be part of TYPO3 core v10 anymore, as its concepts are wrong.

Also available in: Atom PDF