Details
-
Improvement
-
Resolution: Fixed
-
Medium
-
4.1.0beta1
-
None
Description
Force requirements for session cookie in user/register to prevent empty user objects to be created when crawlers enter the user/register site, or users that try to attack the eZ installation by disabling cookies in their browser.
Why?
user/register is dependent on cookies anyway, so no harm done, only added security.
How?
eZSession has new functionality in 4.1 that lets you know if current user had session cookie at start of request, if not then redirect back to user/register with an added part in the url (for instance "/2") to signal that user should have cookie now, if still no cookie, then display a form that says you have to enable cookies in your browser to be able to register with a re try button. By using a form, crawlers should normally not keep following it.