Typo3-手动登录仅适用于cookie

Question

I'm trying to manually login the user using this snippet (after verifying the login data of course):

public function loginUser($user) {
    $userArray = array('uid' => $user->getUid());
    $GLOBALS['TSFE']->fe_user->is_permanent = true;
    $GLOBALS['TSFE']->fe_user->checkPid = 0;
    $GLOBALS['TSFE']->fe_user->createUserSession($userArray);
    $GLOBALS['TSFE']->fe_user->user = $GLOBALS['TSFE']->fe_user->fetchUserSession();
    $GLOBALS['TSFE']->fe_user->fetchGroupData();
    $GLOBALS['TSFE']->loginUser = true;
    //this somehow forces a cookie to be set
    $GLOBALS['TSFE']->fe_user->setAndSaveSessionData('dummy', TRUE);
}

If I leave out the "setAndSaveSessionData" Part, the login doesn't work at all, after a page redirect the login data are gone and the user is logged out again. But the setAndSaveSessionData stores the session in a cookie and the user will remain logged in even after closing the browser - which is a behaviour I do not want (not without the user's consent). Is there a way to manually login the user without the "setAndSaveSessionData" part? I'm using Typo3 6.2.12 with extbase and felogin

Thank you very much in advance!

Answer 1

In some TYPO3 6.2.x (I don't remember which x exactly) there was a change introduced, which causes that you need to call AbstractUserAuthentication::setSessionCookie() method yourself... Unfortunately it has protected access so the best way to login user is creating some util class extending it:

typo3conf/your_ext/Classes/Utils/FeuserAuthentication.php

<?php

namespace VendorName\YourExt\Utils;


use TYPO3\CMS\Core\Authentication\AbstractUserAuthentication;
use TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication;

class FeuserAuthentication extends AbstractUserAuthentication {


    function __construct($uid) {
        return $this->authByUid($uid);
    }

    // Authenticates user by uid
    public function authByUid($uid) {

        /** @var $fe_user FrontendUserAuthentication */
        $fe_user = $GLOBALS['TSFE']->fe_user;
        $fe_user->createUserSession(array('uid' => $uid));
        $fe_user->user = $fe_user->getRawUserByUid($uid);
        $fe_user->fetchGroupData();
        $GLOBALS['TSFE']->loginUser = true;
        $fe_user->setSessionCookie();

        return $fe_user->isSetSessionCookie();

    }

}

so to login your user by uid you just need to create new object of this class with $uid of fe_user as a constructor's param:

$this->objectManager->get(
    '\VendorName\YourExt\Utils\FeuserAuthentication', 
    $user->getUid()
);

PS As you can see this class doesn't check if account exists and/or is enabled, so you need to check it yourself before authentication attempt.

Answer 2

A website is delivered HTTP(S), which is a stateless protocol. This means that something has to be saved on the client computer, because otherwise the server couldn't reliably recognize the user again. There are several ways to do this:

• Use a session cookie (The way TYPO3 does it, PHP also does that)
• Manually add a session ID to each request on a page, Java-based applications do that sometimes. This breaks if the user leaves the page and comes back later (in the same session, or in another tab without copying a link).
• There are probably some more ways, but I can't come up with them right now

So my answer is: Since I believe it is hard to get TYPO3 to switch to another way of setting the session information (would be quite user unfriendly), there is no good way to avoid setting the cookie.

However:
The cookie is a session cookie, which expires when the browser session is ended. So closing the browser and reopening it should end the login, except if the browser restores the previous session when opened. Many modern browsers do this, especially mobile browsers. Ways to get around that:

• Use the incognito or private mode of the browser
• Set the browser to start a fresh session on each start and make sure the browser terminates when you are finished (again: watch mobile devices).