http://stackoverflow.com/questions/2609 ... joomla-2-5
Could not get it to work on 1.5 with many variations, the most I was able to achieve was to get the correct userid and data into the session table but it wasn't actually logged in.
Anyway, I gave up on that and used a more hackish approach that works in both the front end and the administrator end.
Note: Before you change these files make a backup first, otherwise if a mistake is made, you won't be able to log in.
This is the function that swaps the IDs, since it's used by both the site and administrator I put it in the following file:
/libraries/joomla/session/session.php
Code: Select all
function swapSessionIDs()
{
$db =& JFactory::getDBO();
$session = & JFactory::getSession();
$oldID=$session->getId();
$newID=$session->_createId();
$sn=session_name();
$cookie = session_get_cookie_params();
if(isset($session->_force_ssl) && $session->_force_ssl) {
$cookie['secure'] = true;
}
$cookie['httponly']=true;
session_write_close();
$q = "UPDATE #__session set session_id='$newID'
WHERE session_id = '$oldID' ";
$db->setQuery($q);
$db->query();
$_COOKIE[$sn]=$newID;
setcookie($sn, $newID, $cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], $cookie['httponly'] );
return;
}
Modifications for the front end:
main /index.php file (near the top)
Code: Select all
ini_set('session.cookie_httponly', 1);
In the login function there is an if statement that needs to be modified slightly by adding the register_shutdown_function:
Code: Select all
if (!in_array(false, $results, true))
{
// Set the remember me cookie if enabled
if (isset($options['remember']) && $options['remember'])
{
jimport('joomla.utilities.simplecrypt');
jimport('joomla.utilities.utility');
//Create the encryption key, apply extra hardening using the user agent string
$key = JUtility::getHash(@$_SERVER['HTTP_USER_AGENT']);
$crypt = new JSimpleCrypt($key);
$rcookie = $crypt->encrypt(serialize($credentials));
$lifetime = time() + 365*24*60*60;
setcookie( JUtility::getHash('JLOGIN_REMEMBER'), $rcookie, $lifetime, '/', null, 0, 1 );
}
register_shutdown_function(array('JSession','swapSessionIDs'));
return true;
}
Modifications for the administrator area.
I added this to the top of the main /administrator/index.php file:
Code: Select all
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_path', '/administrator');
there is the login function, look for the if statement that does the final check and add the register_shutdown_function so that it looks something like this:
Code: Select all
if (!JError::isError($result))
{
register_shutdown_function(array('JSession','swapSessionIDs'));
$mainframe->redirect('index.php');
}
Craig