Bug #58713
Failed feuser login removes the existing session data
| Status: | Resolved | Start date: | 2014-05-12 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | - | % Done: | 100% |
|
| Category: | felogin | Spent time: | - | |
| Target version: | - | |||
| TYPO3 Version: | 6.2 | Is Regression: | No | |
| PHP Version: | 5.3 | Sprint Focus: | ||
| Complexity: | medium |
Description
In the new version of Typo3 6.2.2, a fail login in the frontend with feuser destroy the fe_typo_user cookie and this destroyed my user session
Related issues
Associated revisions
[BUGFIX] Keep session cookie if session data is present
The AbstractUserAuthentication::checkAuthentication() method calls
the logoff() method on every failed login attempt.
Since a logoff also causes a removal of the cookie,
any (anonymous) session data will be left unaccessible.
Keep the cookie when session data is present.
Releases: 6.2
Resolves: #58713
Change-Id: I744456f62197a7278635d8564d4883564d954dd2
Reviewed-on: https://review.typo3.org/30485
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Revert "[BUGFIX] Session cookie is not recreated on login"
This reverts commit 76741dff7b967b88aa1d6e556500a77716c7a97a
(https://review.typo3.org/29626)
This change is not needed any more as the fix done
for #58713 also fixes the issues targeted with this fix.
This should be reverted not only because it is not needed
any more but especially because it "abuses" the property
->newSessionID which should only be set when really
a new ID has been generated and not to force the cookie
to be set again.
Releases: 6.2
Resolves: #59614
Reverts: #57751
Related: #58713
Change-Id: I5324769b0795bcc1b1f1e385c73fd085d7b3f571
Reviewed-on: https://review.typo3.org/30753
Reviewed-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
History
#1 Updated by Markus Klein about 1 year ago
- Status changed from New to Accepted
Easiest way to reproduce¶
- Click on the forgot password link (fe cookie is created)
- Click on the back to login link (fe cookie still there)
- Let a login fail
- Notice the cookie is gone
What happens in the background¶
When the cookie is first set, its id is chosen randomly.On login attempts a former session (but not the session data!) is discarded and the cookie is unset, I guess for security reasons.
- If the login succeeds a new session is created (but with the same id, as the id was present from the cookie beforehand) and the sessions data
is preserved as the session id is now existing again. - If the login fails, no cookie is set anymore and the session data is lost forever since the next login attempt will generate a new id.
#2 Updated by Markus Klein about 1 year ago
- Complexity set to medium
#3 Updated by Markus Klein about 1 year ago
- Subject changed from Fail Login with feuser delete the fe_typo_user cookie to Failed feuser login removes the existing session data
#4 Updated by Gerrit Code Review about 1 year ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30485
#5 Updated by Gerrit Code Review about 1 year ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30485
#6 Updated by Gerrit Code Review about 1 year ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30485
#7 Updated by Gerrit Code Review about 1 year ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30485
#8 Updated by Helmut Hummel about 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1d23e5e04424060237f9e5b26421efca6efd93b2.