2

Joomla 1.5.15

I need to renew the session ID when a user logs in to prevent session fixation that is possible in 1.5.15. I realise I can update to latest version and would be fixed but for various reasons I can't update right now.

I have an authentication plugin which handles the logins (I don't use the #__users table), in my plugin I authenticate a user/pass with a web service. I would like to be able to regenerate th session ID at this point in the plugin.

I have tried simply session_regenerate_id() which does renew it but I lose all session data and can't login. I know Joomla uses its own session classes but I don't know if there is a function to do this.

Thanks

RandomCoder
  • 1,358
  • 5
  • 20
  • 35
  • I would HIGHLY recommend updating to 1.5.22. All of the releases since 1.5.15 have been security releases, your site is vulnerable. – Brent Friar Feb 17 '11 at 14:35

1 Answers1

2

Use JSession::fork().

$session =& JFactory::getSession();
$session->fork();

All it really does is session_regenerate_id() in the background, but it makes sure the session is active first before it does so. You shouldn't lose any data by doing this (and if you do, there may be a bug somewhere)...

For Joomla 2.5 and Joomla 3.5 session fixation you can refer to the solution suggested for session fixation in Joomla 2.5

alisha.sen
  • 15
  • 5
ircmaxell
  • 163,128
  • 34
  • 264
  • 314
  • Tried that and it does renew the ID but can't login, session data seems to be lost. In the plugin if good user/pass I set the response status to JAUTHENTICATE_STATUS_SUCCESS then I call fork() then I return true to indicate a successful login. – RandomCoder Feb 17 '11 at 15:01
  • @user5953: And it does log you in of you don't regenerate the session_id? – ircmaxell Feb 17 '11 at 15:14