[BUGFIX] Fetch RSA public key by Ajax before login
Currently public and private RSA keys are generated when rendering the login form. This has several drawbacks. It can lead to strange and hard to debug errors when a second request is done in the same browser, which invalidates the key for the current login form (#38660), opening a second login in a different tab invalidates the key on the first tab and finally when the login form stays open until the PHP session expires (parts of the private key are stored in the PHP session), the key is also invalid for the form. Solution is to create a new key pair on the fly when a user clicks the submit button and fetch the public key via Ajax. This change implements this for the backend login. Frontend login should be tackled in a different patch. Resolves: #37421 Releases: 6.2 Change-Id: I0cd9a049d892ee872436347153a0e1114b17585d Reviewed-on: https://review.typo3.org/28893 Reviewed-by: Nicole Cordes Tested-by: Nicole Cordes Reviewed-by: Stefan Neufeind Tested-by: Stefan Neufeind
Showing
- typo3/sysext/rsaauth/Classes/Hook/LoginFormHook.php 10 additions, 38 deletionstypo3/sysext/rsaauth/Classes/Hook/LoginFormHook.php
- typo3/sysext/rsaauth/ext_localconf.php 0 additions, 1 deletiontypo3/sysext/rsaauth/ext_localconf.php
- typo3/sysext/rsaauth/resources/BackendLoginFormRsaEncryption.js 108 additions, 0 deletions...sysext/rsaauth/resources/BackendLoginFormRsaEncryption.js
- typo3/sysext/rsaauth/resources/rsaauth.js 1 addition, 0 deletionstypo3/sysext/rsaauth/resources/rsaauth.js
- typo3/sysext/rsaauth/resources/rsaauth_min.js 1 addition, 0 deletionstypo3/sysext/rsaauth/resources/rsaauth_min.js
Please register or sign in to comment