[SECURITY] Session timeout can be circumvented once 01/30301/2
authorMarkus Klein <klein.t3@mfc-linz.at>
Thu, 22 May 2014 07:33:36 +0000 (09:33 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 22 May 2014 07:33:40 +0000 (09:33 +0200)
Fix the AbstractUserAuthentication class to properly invalidate
the current session if it timed out.

Change-Id: Id50ee1abd197674fa9379b52b46b63ecf770c964
Fixes: #57673
Releases: 6.2
Security-Commit: 38e24be1ff26fa181f16b91c57a0fcbe4da5065a
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30301
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php

index a34b11c..6929a37 100644 (file)
@@ -1008,6 +1008,7 @@ abstract class AbstractUserAuthentication {
                        } else {
                                // Delete any user set...
                                $this->logoff();
+                               $user = FALSE;
                        }
                }
                return $user;