Project

General

Profile

Actions
Copy link

Bug #90568

closed

BE user cookie set regardless of session

Added by Philipp Gampe over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Markus Klein
Category:
Authentication
Target version:
-
Start date:
2020-02-28
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

The BE user cookie is always set once a user visited the /typo3 login page. Even after logout, a BE user cookie is still present.

Since a BE user cookie is the only way viable way to detect a BE session, it should only be present if there is a current session. This is important for CDNs to bypass cache for active sessions.

That means a) the cookie should only be set after successful login and b) the cookie should be removed during logout.

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Task #89877: Cookie "lastLoginProvider" appears to serve no true purposeClosed2019-12-06

Actions
Related to TYPO3 Core - Bug #92035: Backend sets InstallToolSession cookie on logoutClosedMarkus Klein2020-08-17

Actions
Actions
Copy link

Also available in: Atom PDF