Bug #9532
FLOW3 looses session data / tokens if scope session is used elsewhere
Status: | Resolved | Start date: | 2010-08-31 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | Robert Lemke | % Done: | 100% |
|
Category: | Session | |||
Target version: | TYPO3 Flow Base Distribution - 1.0 alpha 12 | |||
PHP Version: | Complexity: | |||
Has patch: | Affected Flow version: |
Description
In the TYPO3 package I started implementing a TYPO3-specific session class:
/** * A TYPO3 Session * * @license http://www.gnu.org/licenses/gpl.html GNU General Public License, version 3 or later * @scope session */ class Session { /** * @var \F3\PHPCR\SessionInterface */ protected $contentRepositorySession; /** * Constructs the TYPO3 Session. * * This logs in at the Content Repository with the currently logged in * TYPO3 user and attaches the CR's session to this TYPO3 session. * * @param \F3\PHPCR\RepositoryInterface $contentRepository * @param \F3\FLOW3\Security\Context $securityContext * @author Robert Lemke <robert@typo3.org> */ public function __construct(\F3\PHPCR\RepositoryInterface $contentRepository, \F3\FLOW3\Security\Context $securityContext) { $account = $securityContext->getAccount(); $workspaceName = ($account !== NULL) ? 'user-' . $account->getAccountIdentifier() : 'live'; $this->contentRepositorySession = $contentRepository->login(NULL, $workspaceName); } /** * Returns the current content repository session, if any * * @return \F3\PHPCR\SessionInterface * @author Robert Lemke <robert@typo3.org> */ public function getContentRepositorySession() { return $this->contentRepositorySession; } }
So, essentially TYPO3 Session objects contain a reference to a CR session (which is of scope prototype) and some other objects attached to that session.
Now, when I login to the TYPO3 backend and then afterwards call a controller (in this case a Node service controller) which accesses this TYPO3 session, I loose the UsernamePassword token and therefore need to authenticate again. When I disable the @scope session of the TYPO3 Session class, I don't have to re-authenticate.
Associated revisions
[+BUGFIX] FLOW3 (Security): Tokens don't get lost anymore between requests
If an authenticated user used a part of an application which did not
need to call certain functions of the Security Context (such as getRole())
then the login (i.e. the authentication token) was lost on the next
request. This was due to separateActiveAndInactiveTokens() only being
called on demand in certain situations.
This token separation is now done during the initialization of the security
context.
Change-Id: I8ec310b1e32540d95ab3d49c3bccc203eca60311
Resolves: #9532
History
#1 Updated by Robert Lemke almost 5 years ago
- Status changed from Accepted to Resolved
- % Done changed from 0 to 100
Applied in changeset 327a31d1f49be1babcbd0ebc089b92e8cb2fb2d4.