Login form and temporary sessions

Issue description

When a surface scan by an anonymous hacker is performed, the poking request is currently redirected to the login form which then issues a temporary session cookie. This leads to consequetive pokes being not anoymous, but rather session requests. This is a minor problem as the user group of the session is still the user group for the unauthenticated user. Not all automated surface scan tools show the behavior of using the session cookie.

Developer comments

See log file buschconnect of yesterday.

There is a reason for this temporary session request on a poke. A legitimate user currently no logged in that accesses an existing resource in the store should be redirected to that resource after a successfull login. This probably can be done a different way without the need for a session.

Reporting date

2026-02-15

Reported by

Robert Cerny

Planned for version

Topincs 10.1.0 – next release

Part of

Harden Topincs(Enhancement)