Open webian opened 4 years ago
After many hours of debugging I still can't get what's wrong so I write here my findings...
With sr_freecap enabled, sr_freecap creates a cookie to check the captcha result. This cookie means that a session exists (\TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::start
) so, when femanager tries to write the flash message into session, TYPO3 finds an existing session ( \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::setSessionCookie
) and so it doesn't set the cookie.
But at this point I don't know if the bug is in femanager or sr_freecap or TYPO3.
this needs further testing and I plan to add an automated test.
This problem still seems to exist …
Step to reproduce:
captcha = 1
Result: the user is redirected to the status page but there's no message explaining to check email to confirm so the user doesn't know what to do.
Instead, with captcha disabled the message appears but the system is vulnerable to spam.