[BUGFIX] Information disclosure during backend login
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 27 Jul 2011 10:27:00 +0000 (12:27 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:28:18 +0000 (12:28 +0200)
Change-Id: I5df743d9432b12b77e7fb44910d1f66619db2e45
Resolves: #24456
Reviewed-on: http://review.typo3.org/3737
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_userauth.php

index c701e8d..1c9ce82 100644 (file)
@@ -252,6 +252,9 @@ class t3lib_userAuth {
                        // Make certain that NO user is set initially
                $this->user = '';
 
+                       // We need a PHP session session for most login levels
+               session_start();
+
                        // Check to see if anyone has submitted login-information and if so register the user with the session. $this->user[uid] may be used to write log...
                $this->checkAuthentication();
 
@@ -1205,7 +1208,6 @@ class t3lib_userAuth {
 
                                        // Check challenge stored in cookie:
                                if ($this->challengeStoredInCookie)     {
-                                       session_start();
                                        if ($_SESSION['login_challenge'] !== $loginData['chalvalue']) {
                                                if ($this->writeDevLog)         t3lib_div::devLog('PHP Session stored challenge "'.$_SESSION['login_challenge'].'" and submitted challenge "'.$loginData['chalvalue'].'" did not match, so authentication failed!', 't3lib_userAuth', 2);
                                                $this->logoff();