[SECURITY] Session timeout can be circumvented once 01/30301/2
authorMarkus Klein <klein.t3@mfc-linz.at>
Thu, 22 May 2014 07:33:36 +0000 (09:33 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 22 May 2014 07:33:40 +0000 (09:33 +0200)
commitd591b1d45e350fe1e467b1ffada91a4252314721
tree389bc2d81284ce0dcc8a6e4f495e7e23fc50c5ba
parentd554ac5323f3b0fac1fce4c2c491d0123badd669
[SECURITY] Session timeout can be circumvented once

Fix the AbstractUserAuthentication class to properly invalidate
the current session if it timed out.

Change-Id: Id50ee1abd197674fa9379b52b46b63ecf770c964
Fixes: #57673
Releases: 6.2
Security-Commit: 38e24be1ff26fa181f16b91c57a0fcbe4da5065a
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30301
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php