[BUGFIX] Don't unnecessarily start PHP session
authorHelmut Hummel <helmut.hummel@typo3.org>
Sat, 17 Sep 2011 15:59:51 +0000 (17:59 +0200)
committerHelmut Hummel <typo3@helmut-hummel.de>
Mon, 19 Sep 2011 19:41:15 +0000 (21:41 +0200)
Because of an information disclosure problem in the backend login
we moved the session_start() in t3lib_userauth in a place which caused
unwanted side effects with 3rd party extensions.

Revert that change to avoid compatibility and performance problems
and instead send no cache headers earlier in t3lib_userauth
to also fix the information disclosure.

Releases: 4.3, 4.4, 4.5, 4.6
Resolves: #29274
Related: #24456, #28694

Change-Id: I87226a21d9b1955773ceb3c377fa1b4c9938e6b2
Reviewed-on: http://review.typo3.org/5070
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
t3lib/class.t3lib_userauth.php

index af56025..e8256eb 100644 (file)
@@ -252,8 +252,13 @@ class t3lib_userAuth {
                        // Make certain that NO user is set initially
                $this->user = '';
 
-                       // We need a PHP session session for most login levels
-               session_start();
+                       // Set all posible headers that could ensure that the script is not cached on the client-side
+               if ($this->sendNoCacheHeaders) {
+                       header('Expires: 0');
+                       header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
+                       header('Cache-Control: no-cache, must-revalidate');
+                       header('Pragma: no-cache');
+               }
 
                        // Check to see if anyone has submitted login-information and if so register the user with the session. $this->user[uid] may be used to write log...
                $this->checkAuthentication();
@@ -299,13 +304,6 @@ class t3lib_userAuth {
                if (!$this->userid && $this->auth_url) { // if no userid AND an include-document for login is given
                        $this->redirect();
                }
-                       // Set all posible headers that could ensure that the script is not cached on the client-side
-               if ($this->sendNoCacheHeaders) {
-                       header('Expires: 0');
-                       header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
-                       header('Cache-Control: no-cache, must-revalidate');
-                       header('Pragma: no-cache');
-               }
 
                        // Set $this->gc_time if not explicitely specified
                if ($this->gc_time == 0) {
@@ -1302,6 +1300,7 @@ class t3lib_userAuth {
 
                                        // Check challenge stored in cookie:
                                if ($this->challengeStoredInCookie) {
+                                       session_start();
                                        if ($_SESSION['login_challenge'] !== $loginData['chalvalue']) {
                                                if ($this->writeDevLog) {
                                                        t3lib_div::devLog('PHP Session stored challenge "' . $_SESSION['login_challenge'] . '" and submitted challenge "' . $loginData['chalvalue'] . '" did not match, so authentication failed!', 't3lib_userAuth', 2);