Bug #90568
BE user cookie set regardless of session
100%
Description
The BE user cookie is always set once a user visited the /typo3 login page. Even after logout, a BE user cookie is still present.
Since a BE user cookie is the only way viable way to detect a BE session, it should only be present if there is a current session. This is important for CDNs to bypass cache for active sessions.
That means a) the cookie should only be set after successful login and b) the cookie should be removed during logout.
Related issues
Updated by Susanne Moog 11 months ago
- Related to Task #89877: Cookie "lastLoginProvider" appears to serve no true purpose added
Updated by Gerrit Code Review 11 months ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63629
Updated by Gerrit Code Review 8 months ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63629
Updated by Markus Klein 5 months ago
- Related to Bug #92035: Backend sets InstallToolSession cookie on logout added
Updated by Gerrit Code Review 5 months ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63629
Updated by Gerrit Code Review 5 months ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65372
Updated by Benni Mack 5 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset c5464e579583d6c92e9ed536a9485cdcb355a21d.