Bug #9532

FLOW3 looses session data / tokens if scope session is used elsewhere

Added by Robert Lemke over 9 years ago. Updated over 9 years ago.

Must have
Start date:
Due date:
% Done:


PHP Version:
Has patch:


In the TYPO3 package I started implementing a TYPO3-specific session class:

 * A TYPO3 Session
 * @license http://www.gnu.org/licenses/gpl.html GNU General Public License, version 3 or later
 * @scope session
class Session {

     * @var \F3\PHPCR\SessionInterface
    protected $contentRepositorySession;

     * Constructs the TYPO3 Session.
     * This logs in at the Content Repository with the currently logged in
     * TYPO3 user and attaches the CR's session to this TYPO3 session.
     * @param \F3\PHPCR\RepositoryInterface $contentRepository
     * @param \F3\FLOW3\Security\Context $securityContext
     * @author Robert Lemke <robert@typo3.org>
    public function __construct(\F3\PHPCR\RepositoryInterface $contentRepository, \F3\FLOW3\Security\Context $securityContext) {
        $account = $securityContext->getAccount();
        $workspaceName = ($account !== NULL) ? 'user-' . $account->getAccountIdentifier() : 'live';
        $this->contentRepositorySession = $contentRepository->login(NULL, $workspaceName);

     * Returns the current content repository session, if any
     * @return \F3\PHPCR\SessionInterface
     * @author Robert Lemke <robert@typo3.org>
    public function getContentRepositorySession() {
     return $this->contentRepositorySession;

So, essentially TYPO3 Session objects contain a reference to a CR session (which is of scope prototype) and some other objects attached to that session.

Now, when I login to the TYPO3 backend and then afterwards call a controller (in this case a Node service controller) which accesses this TYPO3 session, I loose the UsernamePassword token and therefore need to authenticate again. When I disable the @scope session of the TYPO3 Session class, I don't have to re-authenticate.

Associated revisions

Revision 327a31d1 (diff)
Added by Robert Lemke over 9 years ago

[+BUGFIX] FLOW3 (Security): Tokens don't get lost anymore between requests

If an authenticated user used a part of an application which did not
need to call certain functions of the Security Context (such as getRole())
then the login (i.e. the authentication token) was lost on the next
request. This was due to separateActiveAndInactiveTokens() only being
called on demand in certain situations.

This token separation is now done during the initialization of the security

Change-Id: I8ec310b1e32540d95ab3d49c3bccc203eca60311
Resolves: #9532


#1 Updated by Robert Lemke over 9 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF