Bug #19874: Typo3 4.1.8: fe_session_data regression due to session fixation (bug 10146) - Core - TYPO3 Forge

Core Indexed Search Linkvalidator Release Cycles Team Resources Workspaces & Versioning TYPO3 CMS Usability Team Community Extensions Distributions Feature-Requests TYPO3 6.2 Projects (+)(Archived Projects)

Bug #19874

Typo3 4.1.8: fe_session_data regression due to session fixation (bug 10146)

Added by Daniel Hahler over 6 years ago. Updated over 6 years ago.

Status:

Resolved

Start date:

2009-01-21

Priority:

Should have

Due date:

Assigned To:

Michael Stucki

% Done:

Category:

Communication

Spent time:

Target version:

TYPO3 Version:

4.1

Is Regression:

PHP Version:

5.1

Sprint Focus:

Complexity:

Description

In bug 10146 (which I cannot access, but is referenced in the changelog), session fixation has been fixed, so that a new session ID gets generated on each request, if there is no user logged in (the new isExistingSessionRecord checks for this).

However, this renders the fe_session_data table (through $fe_user::setKey('ses', ..)) for anonymous visitors useless: as long as you're not authenticated you'll get a new Session ID on each request and therefore any data stored in the session is lost.

I think the fix might be to expand the isExistingSessionRecord method to also look for entries with the current session ID in fe_session_data (instead of only fe_sessions).

This has been reported to fail with 4.2.4, too.
(issue imported from #M10211)

Related issues

Also available in: Atom PDF

	related to Core - Bug #19831: Session fixation vulnerability in user authentication	Resolved	2009-01-15
	duplicates Core - Bug #19867: DB session records are only created when users authenticate	Resolved	2009-01-20

Core

Issues

Custom queries

Bug #19874

Typo3 4.1.8: fe_session_data regression due to session fixation (bug 10146)