[!!!][TASK] Remove lockHashKeyWords functionality 37/51437/4
authorBenni Mack <benni@typo3.org>
Thu, 26 Jan 2017 16:36:46 +0000 (17:36 +0100)
committerGeorg Ringer <georg.ringer@gmail.com>
Fri, 27 Jan 2017 11:01:03 +0000 (12:01 +0100)
commit77fbd85155bfa3462f74aec394c141f41f4d430e
tree7328a4467cda5c294a054410cf9dc5ec3134172c
parentc0d87152e78a5facf41e6af5af2c29dd6d91783b
[!!!][TASK] Remove lockHashKeyWords functionality

The TYPO3 Core used the "useragent" to create a hashbase
by default to harden the session hijacking functionality.

This very very old feature adds a tiny bit of security on top,
however it has the drawback that users get logged out (of BE or FE)
if their browser updates (due to evergreen browsers or security
updates as the user agent string changes). This is very inconvenient
for websites that use a very long session time for logged in users
in the frontend (or backend) when using TYPO3 as a platform or
application.

It was originally concepted so it could be extended but there is no
hook to do so, and extending all classes does not really make a lot
of sense in the hierarchical PHP class structure.

Resolves: #79513
Releases: master
Change-Id: I78e58210da80c7c1544a644e8e10bc1f667b5bf1
Reviewed-on: https://review.typo3.org/51437
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Documentation/Changelog/master/Breaking-79513-RemovedSessionLockingBasedOnUseragent.rst [new file with mode: 0644]
typo3/sysext/core/ext_tables.sql
typo3/sysext/frontend/ext_tables.sql
typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php