My community has over 300.000 registered Members and est. 200.000 users daily. When entering joomla, a lot of users get empty sessions. That means, the Session-ID is just "".
If one of these users log in with the empty session, some of the others are also logged in with the same account. They can edit the profile, read/write personal messages etc. That's a huge problem, because no one wants others to enter the profile.
Delete all the cookies, and enter Joomla website.
User gets an unique Session-ID.
You are logged in as another user and/or share the empty Session-ID with other people. This happens with low likelihood. But if you have lots of users, it happens a lot.
Joomla: Joomla! 2.5.27 Stable [ Ember ] 30-September-2014 14:00 GMT
Webserver: nginx/1.2.1
Database-version: 5.5.40-0+wheezy1-log
PHP: fpm-fcgi
You can also reproduce this issue, if you change your session-id cookie within browser developer tools.
I have solved this issue, with the following edits:
Open: /libraries/joomla/session/session.php
Function to edit: _start()
Before:
if (!JRequest::getVar($session_name, false, 'COOKIE'))
{
if (JRequest::getVar($session_name))
{
session_id(JRequest::getVar($session_name));
setcookie($session_name, '', time() - 3600);
}
}
After:
if (!JRequest::getVar($session_name, false, 'COOKIE'))
{
if (JRequest::getVar($session_name))
{
session_id(JRequest::getVar($session_name));
setcookie($session_name, '', time() - 3600);
}elseif(JRequest::getVar($session_name) == ''){
session_id($this->_createId());
}
}
This solved the problem, of getting empty sessions. It's just a little hack, to avoid users getting logged-in in other accounts.
Kind regards
Looks like we are OK in fact in 3.x
Milestone |
Added: |
Status | New | ⇒ | Closed |
Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/5214
Here is the PR: #5228 Thanks @enesbil
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5214.
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-11-27 20:09:26 |
This issue seems to not be fixed in Joomla 3.3.6 as I'm experiencing the same "logged in as another user" issue, but sadly i'm not able to reproduce yet, i'm debugging
I don't know if in Joomla 3 is due to empty session_id anyway in the Joomla 3 JSession code i cannot find the equivalent of this patch so maybe yes, also i noticed that it happens with expired sessions and that session cookie value is set to '' for expired sessions but it's hard to reproduce getting logged as another user as my site got also lot of guest traffic, another question is, do we really need the guest to be sessioned? why?
This issue still occures in Joomla 3.4
I have created a patch for this. The following code solves this issue:
Open: /libraries/joomla/session/session.php
Function to edit: _start()
Before:
if ($this->_state === 'restart')
{
session_regenerate_id(true);
}
else
{
$session_name = session_name();
// Get the JInputCookie object
$cookie = $this->_input->cookie;
if (is_null($cookie->get($session_name)))
{
$session_clean = $this->_input->get($session_name, false, 'string');
if ($session_clean)
{
session_id($session_clean);
$cookie->set($session_name, '', time() - 3600);
}
}
}
After:
if ($this->_state === 'restart')
{
session_regenerate_id(true);
}
else
{
$session_name = session_name();
// Get the JInputCookie object
$cookie = $this->_input->cookie;
$value = $cookie->get($session_name);
if (is_null($value))
{
$session_clean = $this->_input->get($session_name, false, 'string');
if ($session_clean)
{
session_id($session_clean);
$cookie->set($session_name, '', time() - 3600);
}
}elseif($value == ''){
session_regenerate_id(true);
$cookie->set($session_name, '', time() - 3600);
}
}
@enesbil can you send your changes as pull request? https://docs.joomla.org/Using_the_Github_UI_to_Make_Pull_Requests
Thanks!
Labels |
Added:
?
|
Can you do a pull request following our code style (for 2.5 and 3.x-staging ) ?