Session Fixation Joomla 1.5

[almooj-craig]

I wanted the session id to change when logging on so I tried using the code and multiple variations of the code that I found in this post:
http://stackoverflow.com/questions/2609 ... joomla-2-5

Could not get it to work on 1.5 with many variations, the most I was able to achieve was to get the correct userid and data into the session table but it wasn't actually logged in.

Anyway, I gave up on that and used a more hackish approach that works in both the front end and the administrator end.

Note: Before you change these files make a backup first, otherwise if a mistake is made, you won't be able to log in.

This is the function that swaps the IDs, since it's used by both the site and administrator I put it in the following file:
/libraries/joomla/session/session.php

Code: Select all

function swapSessionIDs()
{
	$db =& JFactory::getDBO();
	$session = & JFactory::getSession();
	$oldID=$session->getId();
	$newID=$session->_createId();
	$sn=session_name();
	$cookie = session_get_cookie_params();
	if(isset($session->_force_ssl) && $session->_force_ssl) {
		$cookie['secure'] = true;
	}
	$cookie['httponly']=true;

	session_write_close();
	
	$q = "UPDATE #__session set session_id='$newID' 
			WHERE session_id = '$oldID' ";
	$db->setQuery($q);
	$db->query();
	
	$_COOKIE[$sn]=$newID;
	setcookie($sn, $newID, $cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], $cookie['httponly'] );
	
	return;
}

Also if you use $session->_force_ssl to forse a ssl connection you may need to modify the session.php file a little more.

Modifications for the front end:
main /index.php file (near the top)

Code: Select all

ini_set('session.cookie_httponly', 1);

/libraries/joomla/application/application.php file
In the login function there is an if statement that needs to be modified slightly by adding the register_shutdown_function:

Code: Select all

if (!in_array(false, $results, true))
{
	// Set the remember me cookie if enabled
	if (isset($options['remember']) && $options['remember'])
	{
		jimport('joomla.utilities.simplecrypt');
		jimport('joomla.utilities.utility');

		//Create the encryption key, apply extra hardening using the user agent string
		$key = JUtility::getHash(@$_SERVER['HTTP_USER_AGENT']);

		$crypt = new JSimpleCrypt($key);
		$rcookie = $crypt->encrypt(serialize($credentials));
		$lifetime = time() + 365*24*60*60;
		setcookie( JUtility::getHash('JLOGIN_REMEMBER'), $rcookie, $lifetime, '/', null, 0, 1 );
	}
	register_shutdown_function(array('JSession','swapSessionIDs'));				
	return true;
}

Modifications for the administrator area.
I added this to the top of the main /administrator/index.php file:

Code: Select all

ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_path', '/administrator');

Then in the /administrator/components/com_login/admin.login.php file
there is the login function, look for the if statement that does the final check and add the register_shutdown_function so that it looks something like this:

Code: Select all

if (!JError::isError($result)) 
{
	register_shutdown_function(array('JSession','swapSessionIDs'));				
	$mainframe->redirect('index.php');
}

Although it's hackish the session ids now change when you login, front site or administrator. If anyone has a more Joomla approach that works for 1.5, I would be interested in seeing your solution.

Craig

[Bernard T]

Hi Craig,

thanks for sharing this with us. I wouldn't worry about this approach being a core hack. J!1.5 is EOL code, no updates will come that way any time soon except some extra unversioned security patches.

On a quick look I've noticed you setting the "httponly" cookie setting there. Since this feature is present only since PHP 5.2, there should be a check for it and give a warning to the use if that is the case. Serious webmasters should have their sites on a higher PHP version anyway (I didn't check 1.5 compatibility with PHP 5.4+) but it would be nice to give a warning instead of an PHP error which would result on older PHP versions.
Furthermore, if we would also like to enable "httponly" on older PHP versions, I think the only way would be to use the header() function directly.

I will take a closer look at your code later on and let you know if I can see some spots for improvements.

Btw. if you have some additional security fixes for 1.5, are you interested to contribute to a GitHub repository I will be putting up soon for an Joomla 1.5 and 2.5 updateable "afterlife project"?

[almooj-craig]

Bernard,

Good point about older PHP versions. Here is an updated function that's added in the following file.
/libraries/joomla/session/session.php

Code: Select all

function swapSessionIDs()
{
    $db =& JFactory::getDBO();
    $session = & JFactory::getSession();
    $oldID=$session->getId();
    $newID=$session->_createId();
    $sn=session_name();

    session_write_close();
    
    $q = "UPDATE #__session set session_id='$newID' 
            WHERE session_id = '$oldID' ";
    $db->setQuery($q);
    $db->query();
    
    $_COOKIE[$sn]=$newID;
    if (! headers_sent())
    {        
        $cookie = session_get_cookie_params();
        if(isset($session->_force_ssl) && $session->_force_ssl) {
            $cookie['secure'] = true;
        }
        $cookie['httponly']=true;
        
        if (version_compare(phpversion(), '5.2.0', '<'))
        {
            setcookie($sn, $newID, $cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'] );
        }        
        else
        {
            $cookie['httponly']=true;
            setcookie($sn, $newID, $cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], $cookie['httponly'] );
        }    
    }
    
    return;
}
 

[Bernard T]

Good, it looks better now.

I'd suggest you to update your posts and add the "=php" to your Code BBCode tags, like

Code: Select all

, to improve the readability by code highlighting.