User tests: Successful: Unsuccessful:
code by @enesbil
See: #5214
My community has over 300.000 registered Members and est. 200.000 users daily. When entering joomla, a lot of users get empty sessions. That means, the Session-ID is just "".
If one of these users log in with the empty session, some of the others are also logged in with the same account. They can edit the profile, read/write personal messages etc. That's a huge problem, because no one wants others to enter the profile.
Delete all the cookies, and enter Joomla website.
User gets an unique Session-ID.
You are logged in as another user and/or share the empty Session-ID with other people. This happens with low likelihood. But if you have lots of users, it happens a lot.
Joomla: Joomla! 2.5.27 Stable [ Ember ] 30-September-2014 14:00 GMT
Webserver: nginx/1.2.1
Database-version: 5.5.40-0+wheezy1-log
PHP: fpm-fcgi
You can also reproduce this issue, if you change your session-id cookie within browser developer tools.
I have solved this issue, with the following edits:
Open: /libraries/joomla/session/session.php
Function to edit: _start()
Before:
if (!JRequest::getVar($session_name, false, 'COOKIE'))
{
if (JRequest::getVar($session_name))
{
session_id(JRequest::getVar($session_name));
setcookie($session_name, '', time() - 3600);
}
}
After:
if (!JRequest::getVar($session_name, false, 'COOKIE'))
{
if (JRequest::getVar($session_name))
{
session_id(JRequest::getVar($session_name));
setcookie($session_name, '', time() - 3600);
}elseif(JRequest::getVar($session_name) == ''){
session_id($this->_createId());
}
}
This solved the problem, of getting empty sessions. It's just a little hack, to avoid users getting logged-in in other accounts.
Kind regards
Labels |
Added:
?
|
Category | ⇒ | Front End Libraries |
Milestone |
Added: |
||
Easy | No | ⇒ | Yes |
I think we can just use an else here?
done with: zero-24@b17878e thanks @phproberto
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-12-05 13:00:26 |
Looks OK here.