Commit 76f43ac7 authored by Benni Mack's avatar Benni Mack Committed by Benjamin Franzke
Browse files

[!!!][TASK] Remove support for FE_SESSION_KEY session transfer

A seldom used (and undocumented) feature to transfer a session
via the GET parameter FE_SESSION_KEY is removed in favor
of custom authentication services when integrating third-party
Single-Sign-On processes.

Resolves: #93002
Releases: master
Change-Id: I8418bdf36ce3dd2ab63edb9a77f2db59beeaac43
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67035


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke's avatarBenjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke's avatarBenjamin Franzke <bfr@qbus.de>
parent 42f7fa6b
.. include:: ../../Includes.txt
==========================================================================
Breaking: #93002 - Support for session transfer via FE_SESSION_KEY removed
==========================================================================
See :issue:`93002`
Description
===========
TYPO3's Frontend Session Handling has had a custom feature by setting a custom
GET variable called `FE_SESSION_KEY` to inject an existing session into a
Frontend Request without having a cookie sent as response.
This seldom used feature, which was limited to Frontend sessions only, and
required knowledge of third-party integrations for TYPO3's encryption key to
create such a session key is removed.
Features for integrating sessions should instead be built with custom
AuthenticationServices, e.g. for Single-Sign-On functionality.
Impact
======
Calling TYPO3's Frontend with `FE_SESSION_KEY` as GET parameter has no effect
anymore, and will not pick up an existing session anymore.
Affected Installations
======================
TYPO3 installations using this `FE_SESSION_KEY` which is very rare and unlikely
to be used in the past.
Migration
=========
Build a custom Authentication Service to log in and use user session instead
in a third-party extension.
.. index:: Frontend, NotScanned, ext:frontend
......@@ -58,12 +58,6 @@ class FrontendUserAuthenticator implements MiddlewareInterface
$frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
}
// Check if a session is transferred, and update the cookie parameters
$frontendSessionKey = $request->getParsedBody()['FE_SESSION_KEY'] ?? $request->getQueryParams()['FE_SESSION_KEY'] ?? '';
if ($frontendSessionKey) {
$request = $this->transferFrontendUserSession($frontendUser, $request, $frontendSessionKey);
}
// Authenticate now
$frontendUser->start();
$frontendUser->unpack_uc();
......@@ -89,43 +83,6 @@ class FrontendUserAuthenticator implements MiddlewareInterface
return $response;
}
/**
* It's possible to transfer a frontend user session via a GET/POST parameter 'FE_SESSION_KEY'.
* In the future, this logic should be moved into the FrontendUserAuthentication object directly,
* but only if FrontendUserAuthentication does not request superglobals (like $_COOKIE) anymore.
*
* @param FrontendUserAuthentication $frontendUser
* @param ServerRequestInterface $request
* @param string $frontendSessionKey
* @return ServerRequestInterface
*/
protected function transferFrontendUserSession(
FrontendUserAuthentication $frontendUser,
ServerRequestInterface $request,
string $frontendSessionKey
): ServerRequestInterface {
[$sessionId, $hash] = explode('-', $frontendSessionKey);
// If the session key hash check is OK, set the cookie
if (hash_equals(md5($sessionId . '/' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), (string)$hash)) {
$cookieName = FrontendUserAuthentication::getCookieName();
// keep the global cookie overwriting for now, as long as FrontendUserAuthentication does not
// use the request object for fetching the cookie information.
$_COOKIE[$cookieName] = $sessionId;
if (isset($_SERVER['HTTP_COOKIE'])) {
// See https://forge.typo3.org/issues/27740
$_SERVER['HTTP_COOKIE'] .= ';' . $cookieName . '=' . $sessionId;
}
// Add the cookie to the Server Request object
$cookieParams = $request->getCookieParams();
$cookieParams[$cookieName] = $sessionId;
$request = $request->withCookieParams($cookieParams);
$frontendUser->forceSetCookie = true;
$frontendUser->dontSetCookie = false;
}
return $request;
}
/**
* Adding headers to the response to avoid caching on the client side.
* These headers will override any previous headers of these names sent.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment