Task #56453
Epic #55070: Workpackages
Epic #55066: WP: Security enhancements
Story #55509: Add CSRF Protection to mod.php
Improve usability with multiple tabs open
| Status: | Resolved | Start date: | 2014-02-28 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 100% |
|
| Category: | - | Spent time: | 6.75 hours | |
| Target version: | - | |||
| TYPO3 Version: | 6.2 | Complexity: | ||
| PHP Version: | Sprint Focus: |
Description
When the backend user session expires, currently
a popup window is shown which asks the user to
relogin when salted passwords or rsaauth are used
(which is currently our default).
However when a user works with multiple browser tabs
open, it is easy to overlook this popup. When realizing
that the session is expired and the user logs
into the backend again in one tab, the session
is authenticated in all other open tabs, but a
new CSRF protection token has been generated, which
makes working in this tab impossible, especially
because the tokens are now checked for virtually
any action.
This changes cleans up the AjaxLogin functionality
by making use of the new Ajax API introduced lately
and functionality is added so that AjaxLogin also
works with rsaauth and saltedpasswords enabled.
Additionally the form protection framework is slightly
reworked to better support the re-login and token
restore functionality in the AjaxLogin.
The "showRefreshLoginPopup" functionality is still
kept, because AjaxLogin can still not handle
OpenID logins.
Associated revisions
[TASK] Improve usability with multiple tabs open
When the backend user session expires, currently
a popup window is shown which asks the user to
relogin when salted passwords or rsaauth are used
(which is currently our default).
However when a user works with multiple browser tabs
open, it is easy to overlook this popup. When realizing
that the session is expired and the user logs
into the backend again in one tab, the session
is authenticated in all other open tabs, but a
new CSRF protection token has been generated, which
makes working in this tab impossible, especially
because the tokens are now checked for virtually
any action.
This changes cleans up the AjaxLogin functionality
by making use of the new Ajax API introduced lately
and functionality is added so that AjaxLogin also
works with rsaauth and saltedpasswords enabled.
Additionally the form protection framework is slightly
reworked to better support the re-login and token
restore functionality in the AjaxLogin.
The "showRefreshLoginPopup" functionality is still
kept, because AjaxLogin can still not handle
OpenID logins.
Resolves: #56453
Releases: 6.2
Change-Id: Ic6c3415f292d346293c7d2c775288f4ba62ebc15
Reviewed-on: https://review.typo3.org/27954
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
History
#1 Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27954
#2 Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27954
#3 Updated by Gerrit Code Review over 1 year ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27954
#4 Updated by Gerrit Code Review over 1 year ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27954
#5 Updated by Gerrit Code Review over 1 year ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27954
#6 Updated by Gerrit Code Review over 1 year ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27954
#7 Updated by Helmut Hummel over 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 9aaeaf5120638ef07087226d8409062a29f527ef.