[BUGFIX] Abandon one time CSRF tokens
authorHelmut Hummel <helmut.hummel@typo3.org>
Sun, 20 Mar 2011 18:15:57 +0000 (19:15 +0100)
committerHelmut Hummel <typo3@helmut-hummel.de>
Fri, 29 Apr 2011 22:02:46 +0000 (00:02 +0200)
commitd8b85b633f7cbd7d28675af4da16c7a002e67e1f
tree45f83b9d378966ef3fc88218a299827ef839a242
parent06711c2cce8ff87397b373810b1ac6fd13aa6e2c
[BUGFIX] Abandon one time CSRF tokens

Abandon the extra security feature of having one time tokens and create tokens
which are valid during a whole login session. Additionally create only one random token,
store it in the session and create the real URL and form tokens by hashing the scope strings
with the secret session token.

To enable re-login, store the session token in the registry and retrieve it in case a
re-login happens.

Thanks to Marion Eher (Bluechip.at) for sponsoring
this fix with 75 beers during the bug auction at T3BOARD11.

Resolves: #25359
Change-Id: If37990fbc1ae3701777e8218cc1bc8760a4d6a55
Releases: 4.6, 4.5
Reviewed-on: http://review.typo3.org/1364
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
23 files changed:
t3lib/class.t3lib_befunc.php
t3lib/class.t3lib_pagerenderer.php
t3lib/class.t3lib_tceforms.php
t3lib/formprotection/class.t3lib_formprotection_abstract.php
t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php
t3lib/formprotection/class.t3lib_formprotection_disabledformprotection.php
t3lib/formprotection/class.t3lib_formprotection_factory.php
t3lib/formprotection/class.t3lib_formprotection_installtoolformprotection.php
tests/t3lib/formprotection/class.t3lib_formprotection_AbstractTest.php
tests/t3lib/formprotection/class.t3lib_formprotection_BackendFormProtectionTest.php
tests/t3lib/formprotection/class.t3lib_formprotection_InstallToolFormProtectionTest.php
tests/t3lib/formprotection/fixtures/class.t3lib_formprotection_testing.php
typo3/alt_clickmenu.php
typo3/classes/class.ajaxlogin.php
typo3/classes/class.clearcachemenu.php
typo3/index.php
typo3/js/clearcachemenu.js
typo3/js/loginrefresh.js
typo3/logout.php
typo3/sysext/install/mod/class.tx_install.php
typo3/sysext/setup/mod/index.php
typo3/tce_db.php
typo3/template.php