[SECURITY] Limit user session to cookie domain
Given that there are two sites `site-a.com` and `site-b.com` in the same TYPO3 installation, it was possible to reuse a session cookie that was generated for `site-a.com` in `site-b.com`. Since there are scenarios, where this is the expected behavior – when sharing sessions across sub domains, so that an explicit cookieDomain needs to be configured – user sessions IDs are now signed with a combination of encryption key and desired cookie domain, so that a cookie can only be used on the domain that the cookie was created for. For compatiblity with possible 3rd party authenticators, legacy tokens will be accepted (but not created by TYPO3 core itself). Resolves: #100885 Releases: main, 12.4, 11.5 Change-Id: I0d1c314c6e206ac12604ba6f859af78b958651dd Security-Bulletin: TYPO3-CORE-SA-2023-006 Security-References: CVE-2023-47127 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81731 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Http/CookieScopeTrait.php 67 additions, 0 deletionstypo3/sysext/core/Classes/Http/CookieScopeTrait.php
- typo3/sysext/core/Classes/Session/UserSessionManager.php 55 additions, 4 deletionstypo3/sysext/core/Classes/Session/UserSessionManager.php
- typo3/sysext/core/Tests/Functional/Page/PageRendererTest.php 2 additions, 1 deletiontypo3/sysext/core/Tests/Functional/Page/PageRendererTest.php
- typo3/sysext/core/Tests/Unit/Authentication/BackendUserAuthenticationTest.php 2 additions, 1 deletion...sts/Unit/Authentication/BackendUserAuthenticationTest.php
- typo3/sysext/core/Tests/Unit/Session/UserSessionManagerTest.php 25 additions, 7 deletions...sysext/core/Tests/Unit/Session/UserSessionManagerTest.php
- typo3/sysext/frontend/Tests/Unit/Authentication/FrontendUserAuthenticationTest.php 2 additions, 1 deletion...ts/Unit/Authentication/FrontendUserAuthenticationTest.php
Please register or sign in to comment