Bug #19908

session fixation fix avoid BE login

Added by Steffen Kamper over 6 years ago. Updated over 5 years ago.

Status:Resolved Start date:2009-01-25
Priority:Must have Due date:
Assigned To:Oliver Hader % Done:

0%
Category:- Spent time: -
Target version:-
TYPO3 Version:4.3 Is Regression:
PHP Version:5.3 Sprint Focus:
Complexity:

Description

After the fixation fix i can't login in BE.
To be more precise:
Login works, but i'm logged out immediately and only get error bos with "Login-error or session timed-out"

If i comment the fixation check in class.t3lib_userauth.php, line 229, login works again.

(issue imported from #M10257)

Related issues

related to Core - Bug #19831: Session fixation vulnerability in user authentication Resolved 2009-01-15
related to Core - Bug #19879: after upgrade from 4.1.7 to 4.1.8 feusers and beusers hav... Resolved 2009-01-21
related to Core - Bug #19912: The Bug 0010205 "DB session records are only created whe... Resolved 2009-01-25
related to Core - Bug #19916: Session handling - cannot login to >1 TYPO3 installation ... Closed 2009-01-26
related to Core - Bug #20424: Built In shopping basket is not working Closed 2009-05-14

History

#1 Updated by Steffen Kamper over 6 years ago

problem occurs in trunk (other branches not tested yet)

#2 Updated by Marcus Krause over 6 years ago

cannot confirm in my specific setup:
FF2, cookie validity set to browser session only, t3sec_saltedpw auth services

#3 Updated by Steffen Kamper over 6 years ago

i tracked it down, and it was a second cookie that got priority.
Domain was home.local.com
There was a cookie for .local.com, the written cookie had home.local.com but was ignored.

Only way to get login back was to delete the cookie.

#4 Updated by Ralf Hettinger over 6 years ago

I can confirm this (and it is probably solvable by playing with the conf vars to avoid cookie validity for the whole top level domain): The BE login by default will respect cookies set to the top level domain. Therefore one might recognize inconsistent behaviour (meaning to be logged out immediately) if accessing different TYPO3 versions' backends located within the same tld domain, if one backend is < 4.2.4 | 4.1.8 while the other >= ... or while logging in at one subdomain and the browser still has "older" cookies from another subdomain of the same tld named be_typo3_user.

#5 Updated by Ralf Hettinger over 6 years ago

Uh... shouldn't write here when it's too late. Of course top level domain should read domain...

#6 Updated by Thomas Schröder over 6 years ago

Login to one installation works fine, but loading a page from another TYPO3 installation raise the Login-error. See bug ID 0010266.
Reproducible with 4.2.6dev and 4.2.5.

#7 Updated by Helmut Hummel over 6 years ago

Steffen, please check, if you're also affected by bug #19879.

@Thomas: #19879 is indeed still a problem.

#8 Updated by Andreas Becker (Andi) over 6 years ago

Fresh Install Version 4.3.0alpha2 has same problem. You get logged out immediately you have been logged in.
But often before this happens we also get errors like:
that the backend loads in the right column and than turns grey shadded and the login error appears in the main column.
Or:
Fatal error: Cannot run code from this file in conjunction with non encoded files in /domainpath ... /typo3conf/ext/templavoila_pagemod/mod1/conf.php on line 392

#9 Updated by Helmut Hummel about 6 years ago

Hi Andreas, could you please recheck if this error happens on clean TYPO3 installation, meaning not having any third party extension (like templavoila_pagemod or even templavoila) installed.

Regarding the fatal error: this cannot be a TYPO3 core issue, since this seems to be a problem regarding Zend Guard encoded files.

#10 Updated by Oliver Hader over 5 years ago

No further feedback provided - closing this issue.

Also available in: Atom PDF