Joomla! Issue Tracker | Joomla! CMS #5214 - Empty Sessions / Logged-in in other accounts

Closed
27 Nov 2014
Medium
Build: master
# 5214

Referenced as Pull Request for: ~~# 6430~~

enesbil
26 Nov 2014

My community has over 300.000 registered Members and est. 200.000 users daily. When entering joomla, a lot of users get empty sessions. That means, the Session-ID is just "".
If one of these users log in with the empty session, some of the others are also logged in with the same account. They can edit the profile, read/write personal messages etc. That's a huge problem, because no one wants others to enter the profile.

Steps to reproduce the issue

Delete all the cookies, and enter Joomla website.

Expected result

User gets an unique Session-ID.

Actual result

You are logged in as another user and/or share the empty Session-ID with other people. This happens with low likelihood. But if you have lots of users, it happens a lot.

System information (as much as possible)

Joomla: Joomla! 2.5.27 Stable [ Ember ] 30-September-2014 14:00 GMT
Webserver: nginx/1.2.1
Database-version: 5.5.40-0+wheezy1-log
PHP: fpm-fcgi

Additional comments

You can also reproduce this issue, if you change your session-id cookie within browser developer tools.

I have solved this issue, with the following edits:

Open: /libraries/joomla/session/session.php
Function to edit: _start()

Before:

        if (!JRequest::getVar($session_name, false, 'COOKIE'))
        {
            if (JRequest::getVar($session_name))
            {
                session_id(JRequest::getVar($session_name));
                setcookie($session_name, '', time() - 3600);
            }
        }

After:

        if (!JRequest::getVar($session_name, false, 'COOKIE'))
        {
            if (JRequest::getVar($session_name))
            {
                session_id(JRequest::getVar($session_name));
                setcookie($session_name, '', time() - 3600);
            }elseif(JRequest::getVar($session_name) == ''){
                session_id($this->_createId());
            }
        }

This solved the problem, of getting empty sessions. It's just a little hack, to avoid users getting logged-in in other accounts.

Kind regards

enesbil - open - 26 Nov 2014

enesbil - change - 26 Nov 2014

The description was changed

enesbil - change - 26 Nov 2014

The description was changed

infograf768 - comment - 26 Nov 2014

Can you do a pull request following our code style (for 2.5 and 3.x-staging ) ?

infograf768 - comment - 26 Nov 2014

Looks like we are OK in fact in 3.x

brianteeman - change - 26 Nov 2014

Milestone

Added:

zero-24 - reference | - 27 Nov 14

jissues-bot - close - 27 Nov 2014

zero-24 - close - 27 Nov 2014

zero-24 - change - 27 Nov 2014

Status

New

⇒

Closed

jissues-bot - comment - 27 Nov 2014

Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/5214

jissues-bot - close - 27 Nov 2014

zero-24 - comment - 27 Nov 2014

Here is the PR: #5228 Thanks @enesbil

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5214.

jissues-bot - change - 27 Nov 2014

Closed_Date

0000-00-00 00:00:00

⇒

2014-11-27 20:09:26

mbabker - reference | - 5 Dec 14

creativeprogramming - comment - 12 Feb 2015

This issue seems to not be fixed in Joomla 3.3.6 as I'm experiencing the same "logged in as another user" issue, but sadly i'm not able to reproduce yet, i'm debugging

creativeprogramming - comment - 12 Feb 2015

I don't know if in Joomla 3 is due to empty session_id anyway in the Joomla 3 JSession code i cannot find the equivalent of this patch so maybe yes, also i noticed that it happens with expired sessions and that session cookie value is set to '' for expired sessions but it's hard to reproduce getting logged as another user as my site got also lot of guest traffic, another question is, do we really need the guest to be sessioned? why?

enesbil - comment - 14 Mar 2015

This issue still occures in Joomla 3.4

I have created a patch for this. The following code solves this issue:

Open: /libraries/joomla/session/session.php
Function to edit: _start()
Before:

    if ($this->_state === 'restart')
    {
        session_regenerate_id(true);
    }
    else
    {
        $session_name = session_name();

        // Get the JInputCookie object
        $cookie = $this->_input->cookie;

        if (is_null($cookie->get($session_name)))
        {
            $session_clean = $this->_input->get($session_name, false, 'string');

            if ($session_clean)
            {
                session_id($session_clean);
                $cookie->set($session_name, '', time() - 3600);
            }
        }
    }

After:

    if ($this->_state === 'restart')
    {
        session_regenerate_id(true);
    }
    else
    {
        $session_name = session_name();

        // Get the JInputCookie object
        $cookie = $this->_input->cookie;
        $value = $cookie->get($session_name);

        if (is_null($value))
        {
            $session_clean = $this->_input->get($session_name, false, 'string');

            if ($session_clean)
            {
                session_id($session_clean);
                $cookie->set($session_name, '', time() - 3600);
            }
        }elseif($value == ''){
            session_regenerate_id(true);
            $cookie->set($session_name, '', time() - 3600);
        }
    }

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5214.}

zero-24 - comment - 14 Mar 2015

@enesbil can you send your changes as pull request? https://docs.joomla.org/Using_the_Github_UI_to_Make_Pull_Requests

Thanks!

enesbil - reference | - 14 Mar 15

enesbil - comment - 14 Mar 2015

Thank you @zero-24 that article helped a lot. It was my first PR.

zero-24 - change - 7 Jul 2015

Labels

Added: ?

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#5214] - Empty Sessions / Logged-in in other accounts