The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 16 posts ] 
Author Message
PostPosted: Tue Apr 08, 2008 10:46 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Apr 08, 2008 10:35 am
Posts: 2
Hi,

after upgrading to the versions 1.0.13 and 1.0.15 I got an "Invalid Session" error when accessing the components installer in the backend(http://xxxxx/administrator/index2.php?o ... =component). Everything else is working fine. I tried several "solututions" in different threads, but no success:

a) Clear /cache directory -> no success
b) New session directory in joomla root path and new php.ini in root path -> no success (the session indeed is working!)
c) uncommenting the lines 740-744 in includes/joomla.php -> no success

This is the error: <script>document.location.href='index.php?mosmsg=Invalid Session'</script>. Of course this error is produced by the lines 740-744 in includes/joomla.php.

Any ideas...


Top
 Profile  
 
PostPosted: Tue Apr 08, 2008 12:37 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Jun 18, 2007 9:24 am
Posts: 199
can you pm me the website link ? I will try to solve it

_________________
http://www.joomlian.com


Top
 Profile  
 
PostPosted: Tue Apr 08, 2008 3:38 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Apr 08, 2008 3:35 pm
Posts: 1
The problem seems to be in line "if ($session_id != session_id()) {"

I echo both values but the first one is empty so we all get Invalid Session.

Wanna try by yourself? Try this and surf through your admin pages.

if ($session_id != session_id()) {
// session id does not correspond to required session format
echo ($session_id . "-" . session_id());
//echo "<script>document.location.href='index.php?mosmsg=Sesión Inválida'</script>\n";
//exit();
}


Top
 Profile  
 
PostPosted: Wed Apr 09, 2008 7:54 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Jan 23, 2008 10:27 am
Posts: 4
I managed to fix this problem once and for all.

The session error is occurring for me because my client's host has configured the server (shared hosting) to have a shared session directory rather than individual sessions per domain and per account. On cPanel hosts this shouldn't be a problem since sessions are configured for each domain individually. Although it is unlikely that many people will have the same problem as me, changing joomla's code can prevent joomla for logging you out for session errors.

I might add that because of the changes that need to be made, it will open a security vulnerability because any session that is initiated by another user can be used to access the back-end because the session ID are the same - which are null values. For example, session id = "" for both users. Therefore, even thought they would need to login to admin with a username and password to successfully access the joomla back-end, they could simply type in the URI of say administrator/index2.php and they will be granted access.

This is not a problem for me because the joomla installation is not publicly accessible and is an extranet for a business, so the security vulnerability is not extensive in this case.

All of this applies to the Includes/Joomla.php file.

VERY IMPORTANT If you have used any other fixes, etc, you should download the installation files from the package repository on Joomla's main website and copy back any files you have edited overwriting the changes. If you fail to do this then Joomla will not load, I've tried it and that's how I know.

Another thing is that after applying this patch, you will need to make your site inaccessible to any other users including yourself whilst you access the administrator section. This is because if another user accesses the website, they will start a session of ID="", the same as yours - this will cause the back-end to tell you that are not authorised to use this resource. I have tested it extensively and it ONLY happens when other users are on the site.

Now for the fix, applied to Joomla 1.0.15 or Joomla 1.0.13:

Firstly, you should find line 872. All of the lines executing the exit() function should be commented and so should any $mos echos as they will log you out and take you back to the admin index page respectively. Do not edit the first part of the conditional else function (the one for session.auto_start) as there is no need to do this.

Code:
         // no session_id as user has not attempted to login, or session.auto_start is switched on
         if (ini_get( 'session.auto_start' ) || !ini_get( 'session.use_cookies' )) {
            echo "<script>document.location.href='index.php?mosmsg=You need to login. If PHP\'s session.auto_start setting is on or session.use_cookies setting is off, you may need to correct this before you will be able to login.'</script>\n";
         } else {
            //echo "<script>document.location.href='index.php?mosmsg=You need to login'</script>\n";
         }
         //exit();
      } else {
         // session id does not correspond to required session format
         //echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n";
         //exit();
      }


Then the session ID check needs to be commented as well as the previous one. The return value from the session check needs to return a valid session ID so there needs to be an echo. This is demonstrated as follows (you will need to find this in the code yourself). The previous user kindly suggested this.

Code:
if ($session_id != session_id()) {
         // session id does not correspond to required session format
         echo ($session_id . "-" . session_id());
         //echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n";
         //exit();
      }


All of the changes MUST be made or there will be no change. If you fail to do the first bit then you will just be constantly logged out until you finish the fix.

Effectively, this removes session checking and validation. Hence, all users have the same session ID.

As I have indicated, this fix opens up a security hole, so do this at your own risk.

WAY TO FIX THE SECURITY HOLE

Password protect the administrator directory using .htaccess files, or use the relevant cPanel/SSH utilities.

I suspect that this may still cause errors with user logins as each user will have the same session ID, so if two users login and use the CMS at the same time, I suspect that they will either cause a database error or access the same database records. Any recommendations for this are welcomed.

Hope it helps.


Top
 Profile  
 
PostPosted: Thu Apr 10, 2008 10:46 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Apr 08, 2008 10:35 am
Posts: 2
Hi,

found a solution for my problem. In the log file of apache /var/log/apache2/error_log there was a hint:

> Allowed memory size of 8388608 bytes exhausted (tried to allocate 18432 bytes)

I increased the allowed memory size from 8mb to 32mb (in php.ini, parameter: memory_limit) and now the invalid session error is gone and everything is working fine.


Top
 Profile  
 
PostPosted: Mon Apr 14, 2008 11:38 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Apr 08, 2008 10:20 pm
Posts: 3
Hi,

I have Joomla 1.0.15, php-5.2.5,

1st day after installation everything was fine. but after 2 days, I started having Invalid Session problem.

I made,
session.auto_start =1

also applied the code suggessted above. Memory Limit is 128M

Please help me out.

:'(


Top
 Profile  
 
PostPosted: Tue Apr 29, 2008 1:35 am 
Joomla! Intern
Joomla! Intern

Joined: Sat Oct 21, 2006 2:25 am
Posts: 64
Location: VA, USA
me too! i am having the same issue only I installed JCE and next thing I know I'm getting "Invalid Session" >:(

_________________
Joomla! n00b - Thanks for your patience while I learn! :)


Top
 Profile  
 
PostPosted: Wed Apr 30, 2008 7:14 pm 
Joomla! Intern
Joomla! Intern

Joined: Wed Aug 01, 2007 5:51 pm
Posts: 54
Is this related exclusively to 1.0.15? I'm looking for topics talking about this version 'cause I'm intended to update my v1.0.12 site.

I found disturbing the case where the memory limit was increased in php.ini, the code fix was done and the problem remains.


Top
 Profile  
 
PostPosted: Wed Apr 30, 2008 7:29 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Oct 21, 2006 2:25 am
Posts: 64
Location: VA, USA
I resolved my issue by placing a php.ini in my site's root and also in my Joomla Admistrator directory.

_________________
Joomla! n00b - Thanks for your patience while I learn! :)


Top
 Profile  
 
PostPosted: Wed Apr 30, 2008 7:34 pm 
Joomla! Intern
Joomla! Intern

Joined: Wed Aug 01, 2007 5:51 pm
Posts: 54
waderw24 wrote:
I resolved my issue by placing a php.ini in my site's root and also in my Joomla Admistrator directory.


Shouldn't this file be AWAY from public access? I mean, you're placing the file in a directory served by the web server (apache). That kind of hack was ussual when kick-starting php with IIS, but IMHO is not the best solution AT ALL.

_________________
"Verba volant, scripta manent"


Top
 Profile  
 
PostPosted: Thu May 01, 2008 5:08 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Oct 21, 2006 2:25 am
Posts: 64
Location: VA, USA
I guess so. Is there a better way to handle the php.ini file? Where would you recommend I place it or configure it?

_________________
Joomla! n00b - Thanks for your patience while I learn! :)


Top
 Profile  
 
PostPosted: Fri May 02, 2008 2:41 am 
Joomla! Intern
Joomla! Intern

Joined: Wed Aug 01, 2007 5:51 pm
Posts: 54
waderw24 wrote:
I guess so. Is there a better way to handle the php.ini file? Where would you recommend I place it or configure it?


Well, right now i'm using 1.0.12, so i'm not having such a problem in my site at this time. Somehow, i'm interested in applying the patch-to-1.0.15, but i've found oh-so-many topics about this... the joomla! site MUST work without a php.ini in the root of the site. Setiing a folder with 777 permissions, using this hack or the session_id validation I've seen somewhere in this forum in order to be able to login... that kind of things must be out of the options available because they expose the websites to attacks. And it's obvious: you can't keep a site with such security flaws as a response to a misunderstood (or poorly explained) development.

If there's any change in the configuration of the php engine that should be done in order to make your site to work, it should be done in the php.ini located in /etc/php5/ or so, or in C:\Program Files\PHP5\ if working on Windows. If your site is located in some external hosting service and they say "no way" to your request of changing the PHP settings, ask them or find somebody that offers this 'tuning' option or even someone that uses virtualization, so every single site has a sepparate environment.

I've already downloaded the patch, i don't pretend to be a joomla guru or so, but i guess it would be nice to patch my site and i hope i can replicate the error and luckily, solve it somehow.

_________________
"Verba volant, scripta manent"


Top
 Profile  
 
PostPosted: Thu May 08, 2008 12:05 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Apr 08, 2008 10:20 pm
Posts: 3
Hi,

I am using 1.5.3 and didn't had this issue. :)


Top
 Profile  
 
PostPosted: Thu May 08, 2008 5:29 am 
Joomla! Intern
Joomla! Intern

Joined: Wed Aug 01, 2007 5:51 pm
Posts: 54
imaam wrote:
Hi,

I am using 1.5.3 and didn't had this issue. :)


Fresh install or upgraded?

_________________
"Verba volant, scripta manent"


Top
 Profile  
 
PostPosted: Sun Oct 12, 2008 9:28 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
I got the invalid session error on administrator login after upgrading with the 1.0.13 to 1.0.15 patch.

The error was resolved by replacing all files in /administrator/ and /include/ using the full 1.0.15 installer (not the patch). Does the 1.0.13 to 1.0.15 patch maybe have a corrupted file?

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Top
 Profile  
 
PostPosted: Sat Jan 21, 2012 6:19 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Aug 04, 2006 12:38 pm
Posts: 171
First I tried all the solutions offered in this 4 page thread athttp://forum.joomla.org/viewtopic.php?p=1625361 and none of them worked for me, although they solved the problem for a lot of people. After I tried each one, I reverted it back to the original files.

I then applied the fix files referenced at http://forum.joomla.org/viewtopic.php?t=200725 and it still didn't work, but I didn't change them back yet.

Then I realized my absolute paths in the configuration file reference mydomain.com (without the www.) but I was trying to access the admin panel from http://www.mydomain.com/administrator/
When I dropped the www. now it works normally, without the invalid session problem.

Don't know if it was a combination of the two things, or just the last that fixed it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ] 



Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group