Commit c2942387 authored by Benni Mack's avatar Benni Mack Committed by Christian Kuhn
Browse files

[!!!][TASK] Remove feature security.frontend.keepSessionDataOnLogout

The feature flag "security.frontend.keepSessionDataOnLogout"
was introduced as part of a security bugfix to still enable frontend
users to keep their session data even if they have logged out,
where the session data was transferred and migrated to an
anonymous session.

Since this feature in general is insecure, as people who log off
from a public computer would keep session data on that machine,
the functionality is fully removed.

Resolves: #92807
Releases: master
Change-Id: Ieaebcc33e85e1df6e359a7eae318712896800bca
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66596


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
parent 0d2476e1
......@@ -75,7 +75,6 @@ return [
'form.legacyUploadMimeTypes' => true,
'redirects.hitCount' => false,
'unifiedPageTranslationHandling' => false,
'security.frontend.keepSessionDataOnLogout' => false,
'security.backend.enforceReferrer' => true
],
'createGroup' => '',
......
......@@ -207,9 +207,6 @@ SYS:
redirects.hitCount:
type: bool
description: 'If on, and if extension "redirects" is loaded, each performed redirect is counted and last hit time is logged to the database.'
security.frontend.keepSessionDataOnLogout:
type: bool
description: 'If on, session data is kept in an anonymous session after frontend user logged out. As this is a potential security risk, it is recommended to disable this option if not specifically needed.'
security.backend.enforceReferrer:
type: bool
description: 'If on, HTTP referrer headers are enforced for backend and install tool requests to mitigate
......
.. include:: ../../Includes.txt
===================================================================================
Breaking: #92807 - Removed feature for keeping session data on frontend user logout
===================================================================================
See :issue:`92807`
Description
===========
When a frontend user logged out, the session data was kept
and transferred to an anonymous session when the feature
flag "security.frontend.keepSessionDataOnLogout" was enabled.
Since this functionality is insecure, and was only introduced
to keep backwards-compatibility in a security release, the feature
has been removed completely.
Impact
======
When logging out as a frontend user, all session data is now
actively removed and not kept as a new anonymous session.
Affected Installations
======================
TYPO3 installations having this feature enabled and actively
using this feature, e.g. in cart functionality.
Migration
=========
It is recommended to build the web application in a way that
the session data is not needed, and instead, a frontend user
should know that their session data is then lost.
Instead, make sure to bind user-specific data either to the
frontend user itself, or re-implement this functionality
yourself by using a logoff() hook for transferring sessions
to anonymous sessions.
.. index:: Frontend, PHP-API, NotScanned, ext:frontend
\ No newline at end of file
......@@ -17,10 +17,8 @@ namespace TYPO3\CMS\Frontend\Authentication;
use TYPO3\CMS\Core\Authentication\AbstractUserAuthentication;
use TYPO3\CMS\Core\Authentication\AuthenticationService;
use TYPO3\CMS\Core\Configuration\Features;
use TYPO3\CMS\Core\Context\UserAspect;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Session\Backend\Exception\SessionNotFoundException;
use TYPO3\CMS\Core\TypoScript\Parser\TypoScriptParser;
use TYPO3\CMS\Core\Utility\GeneralUtility;
......@@ -515,38 +513,6 @@ class FrontendUserAuthentication extends AbstractUserAuthentication
}
}
/**
* Removes the current session record, sets the internal ->user array to null,
* Thereby the current user (if any) is effectively logged out!
* Additionally the cookie is removed, but only if there is no session data.
* If session data exists, only the user information is removed and the session
* gets converted into an anonymous session if the feature toggle
* "security.frontend.keepSessionDataOnLogout" is set to true (default: false).
*/
protected function performLogoff()
{
$oldSession = [];
$sessionData = [];
try {
// Session might not be loaded at this point, so fetch it
$oldSession = $this->getSessionBackend()->get($this->id);
$sessionData = unserialize($oldSession['ses_data']);
} catch (SessionNotFoundException $e) {
// Leave uncaught, will unset cookie later in this method
}
$keepSessionDataOnLogout = GeneralUtility::makeInstance(Features::class)
->isFeatureEnabled('security.frontend.keepSessionDataOnLogout');
if ($keepSessionDataOnLogout && !empty($sessionData)) {
// Regenerate session as anonymous
$this->regenerateSessionId($oldSession, true);
$this->user = null;
} else {
parent::performLogoff();
}
}
/**
* Regenerate the session ID and transfer the session to new ID
* Call this method whenever a user proceeds to a higher authorization level
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment