I managed to fix this problem once and for all.
The session error is occurring for me because my client's host has configured the server (shared hosting) to have a shared session directory rather than individual sessions per domain and per account. On cPanel hosts this shouldn't be a problem since sessions are configured for each domain individually. Although it is unlikely that many people will have the same problem as me, changing joomla's code can prevent joomla for logging you out for session errors.
I might add that because of the changes that need to be made, it will open a security vulnerability because any session that is initiated by another user can be used to access the back-end because the session ID are the same - which are null values. For example, session id = "" for both users. Therefore, even thought they would need to login to admin with a username and password to successfully access the joomla back-end, they could simply type in the URI of say administrator/index2.php and they will be granted access.
This is not a problem for me because the joomla installation is not publicly accessible and is an extranet for a business, so the security vulnerability is not extensive in this case.
All of this applies to the Includes/Joomla.php file.
VERY IMPORTANT If you have used any other fixes, etc, you should download the installation files from the package repository on Joomla's main website and copy back any files you have edited overwriting the changes. If you fail to do this then Joomla will not load, I've tried it and that's how I know.
Another thing is that after applying this patch, you will need to make your site inaccessible to any other users including yourself whilst you access the administrator section. This is because if another user accesses the website, they will start a session of ID="", the same as yours - this will cause the back-end to tell you that are not authorised to use this resource. I have tested it extensively and it ONLY happens when other users are on the site.
Now for the fix, applied to Joomla 1.0.15 or Joomla 1.0.13:
Firstly, you should find line 872. All of the lines executing the exit() function should be commented and so should any $mos echos as they will log you out and take you back to the admin index page respectively. Do not edit the first part of the conditional else function (the one for session.auto_start) as there is no need to do this.
Code: Select all
// no session_id as user has not attempted to login, or session.auto_start is switched on
if (ini_get( 'session.auto_start' ) || !ini_get( 'session.use_cookies' )) {
echo "<script>document.location.href='index.php?mosmsg=You need to login. If PHP\'s session.auto_start setting is on or session.use_cookies setting is off, you may need to correct this before you will be able to login.'</script>\n";
} else {
//echo "<script>document.location.href='index.php?mosmsg=You need to login'</script>\n";
}
//exit();
} else {
// session id does not correspond to required session format
//echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n";
//exit();
}
Then the session ID check needs to be commented as well as the previous one. The return value from the session check needs to return a valid session ID so there needs to be an echo. This is demonstrated as follows (you will need to find this in the code yourself). The previous user kindly suggested this.
Code: Select all
if ($session_id != session_id()) {
// session id does not correspond to required session format
echo ($session_id . "-" . session_id());
//echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n";
//exit();
}
All of the changes MUST be made or there will be no change. If you fail to do the first bit then you will just be constantly logged out until you finish the fix.
Effectively, this removes session checking and validation. Hence, all users have the same session ID.
As I have indicated, this fix opens up a security hole, so do this at your own risk.
WAY TO FIX THE SECURITY HOLE
Password protect the administrator directory using .htaccess files, or use the relevant cPanel/SSH utilities.
I suspect that this may still cause errors with user logins as each user will have the same session ID, so if two users login and use the CMS at the same time, I suspect that they will either cause a database error or access the same database records. Any recommendations for this are welcomed.
Hope it helps.