[NOT A BUG] joomla 1.5 RC4 session ids not changing after session timeout

[nkissebe]

I tried this in dev with no response, so maybe its bug rather than something I don't understand.

I am seeing some odd behavior in 1.5 RC4+ (r9771).  The session id is not getting regenerated after a logged in user's session expires. After a session timeout It quietly converts that session to an anonymous session. If I log in again in the same browser session (same or different username) it quietly converts that same session from an anonymous session to the new user's session.  I was under the assumption that I could use the session id as a unique identifier to a given user's login session (i want to use this assumption for some statistics generation we have to do on our websites). I think session ids should be regenerated when any session timesout/expires (logged in, or anonymous for that matter).

It is also possible that I am misunderstanding something, so I welcome a correction to my understanding as well.

[masterchief]

You may have to test in a real environment more or at least emulate it.  When you session expires, try going to your site using another browser.  That should trigger the code that flushes the session table.  There could be some latency though - I'm not sure.  It's not really a bug either way though.

[nkissebe]

This is happening in a real environment (not sure what I said to indicate otherwise). It is on 4 production servers where I want to start using the session id as a unique session identifier in logs and as a key in other tables for anonymous statistics gathering.

I don't have a lot of time today to document this, but lets start with an easy case and consider it. I don't necessarily consider this first instance a bug by itself, but it contributes to behavior that prevents my using the session id for the purposes I want.

I enter my site, i see my session appear in jos_session as id 83df127dd372171e5bb228894cdf8805. I log in. Session 83df127dd372171e5bb228894cdf8805 now has my login attached to it (personally I would prefer a new session id be assigned, but I bet I could do that with an onlogin event maybe). Now I sit idle for 20 minutes (site is set with a 15 minute session timeout). As other people are coming and going from the site causing session purges I see that 83df127dd372171e5bb228894cdf8805 is no longer in the jos_session table at this time. I now load a public (saym the homepage) page in my browser. I now see that session 83df127dd372171e5bb228894cdf8805 reappears as a guest session. The problem is that it restarts the session based on the cookie my browser still had for the site. Restarting the session_id like this is just a problem waiting to happen. It may not cause any problems now, but it could mess with people who might want to use the session_id as a key in another table or for statistics logging the way I do.  The problem exacerbates from here.... if I now log in as another user (using the same browser session) the session 83df127dd372171e5bb228894cdf8805 now appears with a new username because when you log in you inherit the anonymous session_id that you were previously using. Admittedly you don't usually see this as it only occurs if you allow your session to timeout without explicitly logging out and have another user then logging in from the same browser session. While uncommon it is possible and I think it presents a potential security issue I wouldn't be comfortable leaving in place. The bigger problem for me is that usage by multiple people will be grouped under the same session id which screws up my session based stats.  I think I can fix some of this with a request to restart a session in the onlogin event in my user plugin but (assuming that works) it still would cause my stats to assign anonymous usage after a user session times out to be assigned to the previously logged in user which isn't desirable to me for my purposes.

[diri]

Is it granted by Joomla! that nothing in relation to permission management is based on session id?

If yes it's no bug.

If no or maybe - it looks like a security hole when this id is not unique.

[nkissebe]

Is it granted by Joomla! that nothing in relation to permission management is based on session id?

If yes it's no bug.

That is probably true for the core. I can't say whether there is an official statement of the legal use or definition of a session ids. So I suppose you could declare it not a bug on those grounds and perhaps it is better addressed as a feature request. However, why bother regenerating a session id when you logout (which it currently does) if you didn't intend for session ids to be unique per login session (as opposed to unique per browser session which is the best you can currently say).

[masterchief]

As far as Joomla! is concerned, the session id tracks a visitor.  If that visitor logs in then out, Joomla! retains the same id.  If the session expires then it should generate a new session id because it thinks you are a new visitor.

[diri]

As far as Joomla! is concerned, the session id tracks a visitor.  If that visitor logs in then out, Joomla! retains the same id.  If the session expires then it should generate a new session id because it thinks you are a new visitor.

Do I understand it correct "new id" should be another id?

It doesn't look like Joomla! works this way. If session id is used for tracking only there is no problem. If it is used to grant permissions to a user while he is online I see potential for a risk.

I did not examine J! in this relation but some time ago I had to hack a system (closed source) for a customer. It worked the way described in previous postings. I had to "steal" a cookie (two to be logged in as well) from a logged in trivial user's machine and do some guesswork only to become superadmin. I'm pretty sure to be able to have this status again when using those old cookies now because system is still the same.

Remark:
I *really* deleted all data related to this job on my machines. It's not my interest to cause damage at a customer's site.

[nkissebe]

As far as Joomla! is concerned, the session id tracks a visitor.

Ok. Good, thats exactly what I want.

  If that visitor logs in then out, Joomla! retains the same id. 

Ok. Not so good. That exactly contradicts the above and also isn't what happens now. As soon as you log out a new session id is generated.

If the session expires then it should generate a new session id because it thinks you are a new visitor.

Ok. Good, thats exactly what I want. But thats not what it is doing. It restarts the session id when a client sends a cookie with an old expired session id (this is wrong, from the point of view of my logging anyway).

[masterchief]

You are probably better off writing your own plugin and using a custom tracking cookie or something rather than relying on the core session id.  That way you can make the system behave exactly how you want it to.