[!!!][SECURITY] Disallow session data transfer on frontend user logout
When frontend users logged out their session data (e.g. shopping cart) was transfered into an anonymous session. This session could have been reused by a different user working with the very same browser. In order to enhance security aspects on this topic session data is purged when an according frontend user is logging out. Since this might be breaking for some scenarios a new feature toggle has been introduced which allows to keep the previous behavior: boolean 'security.frontend.keepSessionDataOnLogout' in $GLOBALS['TYPO3_CONF_VARS']['SYS']['features'] Resolves: #88139 Releases: master, 9.5, 8.7 Security-Commit: 89c45f80388f24f08f827c474daa5ab8fda63da2 Security-Bulletin: TYPO3-CORE-SA-2019-018 Change-Id: I869f3bee7c6bf6e2ae51bcd86273b6abc15f09c5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61144 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php 1 addition, 0 deletions...ore/Classes/Authentication/AbstractUserAuthentication.php
- typo3/sysext/core/Configuration/DefaultConfiguration.php 1 addition, 0 deletionstypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 3 additions, 0 deletions...t/core/Configuration/DefaultConfigurationDescription.yaml
- typo3/sysext/frontend/Classes/Authentication/FrontendUserAuthentication.php 9 additions, 4 deletions...end/Classes/Authentication/FrontendUserAuthentication.php
Please register or sign in to comment