Bug #90568

BE user cookie set regardless of session

Added by Philipp Gampe 11 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
Authentication
Target version:
-
Start date:
2020-02-28
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

The BE user cookie is always set once a user visited the /typo3 login page. Even after logout, a BE user cookie is still present.

Since a BE user cookie is the only way viable way to detect a BE session, it should only be present if there is a current session. This is important for CDNs to bypass cache for active sessions.

That means a) the cookie should only be set after successful login and b) the cookie should be removed during logout.


Related issues

Related to TYPO3 Core - Task #89877: Cookie "lastLoginProvider" appears to serve no true purposeClosed2019-12-06

Actions
Related to TYPO3 Core - Bug #92035: Backend sets InstallToolSession cookie on logoutClosedMarkus Klein2020-08-17

Actions

Also available in: Atom PDF