Feature #35965
Session shouldn't start automatically
| Status: | Resolved | Start date: | 2012-04-13 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Andreas Förthner | % Done: | 100% |
|
| Category: | Security | |||
| Target version: | TYPO3 Flow Base Distribution - 1.1 | |||
| PHP Version: | Complexity: | easy | ||
| Has patch: | No |
Description
By default session handling is started automatically. This isn't useful when it comes to server/server communication.
Places where it should be fixed:
TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager line 130
* @FLOW3\Session(autoStart=true)
and
Package line 46/47
$dispatcher->connect('TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager', 'authenticatedToken', 'TYPO3\FLOW3\Session\SessionInterface', 'renewId');
$dispatcher->connect('TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager', 'loggedOut', 'TYPO3\FLOW3\Session\SessionInterface', 'destroy');
Associated revisions
[!!!][TASK] Change session autostart handling for authentication providers
The session autostart annotation is set at the
providers, not at the authentication manager. By
this every provider can decide on its own, if a
session is needed or not.
Also adds a safeguard in the Session Logging Aspect
to prevent errors while trying to log renewId()
even though the session was not started yet.
Change-Id: Idea18525c2ac19f0d56b7ebb3b314009a2e93461
Releases: 1.1
Resolves: #35965
[BUGFIX] Assure fresh session for functional tests
The changes done to resolve #35965 came with a functional
test that worked fine when run in isolation but failed when
run with other tests that would start a session.
This patch moves the $session->destroy() call in the
base test case from the tearDown() to the setUp()
method and fixes the behavior of destroy() in the
TransientSession which did not reset the "started"
flag.
Change-Id: I2fd85d24ef7456c84c9b36386a206c4c86a117bc
Related: #35965
Releases: 1.1
[BUGFIX] Adjust TransientSession unit test to recent change
The change in TransientSession to close the session when destroy()
is called needed to be reflected in the unit test.
Change-Id: I4bb7b128ed934afa08223eb3aeeae2f847f918a4
Related: #35965
Releases: 1.1
History
#1 Updated by Andreas Förthner over 3 years ago
- Project changed from TYPO3 Flow Base Distribution to TYPO3.Flow
#2 Updated by Andreas Förthner over 3 years ago
- Category set to Security
- Has patch set to No
- Complexity set to easy
#3 Updated by Gerrit Code Review over 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10469
#4 Updated by Robert Lemke about 3 years ago
Just for the record: it's not correct that sessions are generally started automatically - the "autostart" feature exists exactly for having more control over that behavior. What's right though is that the authenticate() method is starting a session because I did not consider authentication mechanisms which don't need sessions.
#5 Updated by Gerrit Code Review about 3 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10469
#6 Updated by Gerrit Code Review about 3 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10469
#7 Updated by Andreas Förthner about 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset ab61bd444fe1d2b1feb0e6e6a224575824fc7ce9.