?
Referenced as Pull Request for: # 6430
avatar enesbil
enesbil
26 Nov 2014

My community has over 300.000 registered Members and est. 200.000 users daily. When entering joomla, a lot of users get empty sessions. That means, the Session-ID is just "".
If one of these users log in with the empty session, some of the others are also logged in with the same account. They can edit the profile, read/write personal messages etc. That's a huge problem, because no one wants others to enter the profile.

Steps to reproduce the issue

Delete all the cookies, and enter Joomla website.

Expected result

User gets an unique Session-ID.

Actual result

You are logged in as another user and/or share the empty Session-ID with other people. This happens with low likelihood. But if you have lots of users, it happens a lot.

System information (as much as possible)

Joomla: Joomla! 2.5.27 Stable [ Ember ] 30-September-2014 14:00 GMT
Webserver: nginx/1.2.1
Database-version: 5.5.40-0+wheezy1-log
PHP: fpm-fcgi

Additional comments

You can also reproduce this issue, if you change your session-id cookie within browser developer tools.

I have solved this issue, with the following edits:

Open: /libraries/joomla/session/session.php
Function to edit: _start()

Before:

        if (!JRequest::getVar($session_name, false, 'COOKIE'))
        {
            if (JRequest::getVar($session_name))
            {
                session_id(JRequest::getVar($session_name));
                setcookie($session_name, '', time() - 3600);
            }
        }

After:

        if (!JRequest::getVar($session_name, false, 'COOKIE'))
        {
            if (JRequest::getVar($session_name))
            {
                session_id(JRequest::getVar($session_name));
                setcookie($session_name, '', time() - 3600);
            }elseif(JRequest::getVar($session_name) == ''){
                session_id($this->_createId());
            }
        }

This solved the problem, of getting empty sessions. It's just a little hack, to avoid users getting logged-in in other accounts.

Kind regards

avatar enesbil enesbil - open - 26 Nov 2014
avatar enesbil enesbil - change - 26 Nov 2014
The description was changed
avatar enesbil enesbil - change - 26 Nov 2014
The description was changed
avatar infograf768
infograf768 - comment - 26 Nov 2014

Can you do a pull request following our code style (for 2.5 and 3.x-staging ) ?

avatar infograf768
infograf768 - comment - 26 Nov 2014

Looks like we are OK in fact in 3.x

avatar brianteeman brianteeman - change - 26 Nov 2014
Milestone Added:
avatar zero-24 zero-24 - reference | - 27 Nov 14
avatar jissues-bot jissues-bot - close - 27 Nov 2014
avatar zero-24 zero-24 - close - 27 Nov 2014
avatar zero-24 zero-24 - change - 27 Nov 2014
Status New Closed
avatar jissues-bot
jissues-bot - comment - 27 Nov 2014

Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/5214

avatar jissues-bot jissues-bot - close - 27 Nov 2014
avatar zero-24
zero-24 - comment - 27 Nov 2014

Here is the PR: #5228 Thanks @enesbil

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5214.

avatar jissues-bot jissues-bot - change - 27 Nov 2014
Closed_Date 0000-00-00 00:00:00 2014-11-27 20:09:26
avatar mbabker mbabker - reference | - 5 Dec 14
avatar creativeprogramming
creativeprogramming - comment - 12 Feb 2015

This issue seems to not be fixed in Joomla 3.3.6 as I'm experiencing the same "logged in as another user" issue, but sadly i'm not able to reproduce yet, i'm debugging

avatar creativeprogramming
creativeprogramming - comment - 12 Feb 2015

I don't know if in Joomla 3 is due to empty session_id anyway in the Joomla 3 JSession code i cannot find the equivalent of this patch so maybe yes, also i noticed that it happens with expired sessions and that session cookie value is set to '' for expired sessions but it's hard to reproduce getting logged as another user as my site got also lot of guest traffic, another question is, do we really need the guest to be sessioned? why?

avatar enesbil
enesbil - comment - 14 Mar 2015

This issue still occures in Joomla 3.4

I have created a patch for this. The following code solves this issue:

Open: /libraries/joomla/session/session.php
Function to edit: _start()
Before:

    if ($this->_state === 'restart')
    {
        session_regenerate_id(true);
    }
    else
    {
        $session_name = session_name();

        // Get the JInputCookie object
        $cookie = $this->_input->cookie;

        if (is_null($cookie->get($session_name)))
        {
            $session_clean = $this->_input->get($session_name, false, 'string');

            if ($session_clean)
            {
                session_id($session_clean);
                $cookie->set($session_name, '', time() - 3600);
            }
        }
    }

After:

    if ($this->_state === 'restart')
    {
        session_regenerate_id(true);
    }
    else
    {
        $session_name = session_name();

        // Get the JInputCookie object
        $cookie = $this->_input->cookie;
        $value = $cookie->get($session_name);

        if (is_null($value))
        {
            $session_clean = $this->_input->get($session_name, false, 'string');

            if ($session_clean)
            {
                session_id($session_clean);
                $cookie->set($session_name, '', time() - 3600);
            }
        }elseif($value == ''){
            session_regenerate_id(true);
            $cookie->set($session_name, '', time() - 3600);
        }
    }


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5214.
avatar zero-24
zero-24 - comment - 14 Mar 2015

@enesbil can you send your changes as pull request? https://docs.joomla.org/Using_the_Github_UI_to_Make_Pull_Requests

Thanks!

avatar enesbil enesbil - reference | - 14 Mar 15
avatar enesbil
enesbil - comment - 14 Mar 2015

Thank you @zero-24 that article helped a lot. It was my first PR.

avatar zero-24 zero-24 - change - 7 Jul 2015
Labels Added: ?

Add a Comment

Login with GitHub to post a comment