Invalid Session after upgrading to 1.0.13 and 1.0.15

Joomla version 1.0 is end-of-life and are no longer supported. Please use Joomla 3.x instead.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
suppie
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Apr 08, 2008 10:35 am

Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by suppie » Tue Apr 08, 2008 10:46 am

Hi,

after upgrading to the versions 1.0.13 and 1.0.15 I got an "Invalid Session" error when accessing the components installer in the backend(http://xxxxx/administrator/index2.php?o ... =component). Everything else is working fine. I tried several "solututions" in different threads, but no success:

a) Clear /cache directory -> no success
b) New session directory in joomla root path and new php.ini in root path -> no success (the session indeed is working!)
c) uncommenting the lines 740-744 in includes/joomla.php -> no success

This is the error: <script>document.location.href='index.php?mosmsg=Invalid Session'</script>. Of course this error is produced by the lines 740-744 in includes/joomla.php.

Any ideas...

User avatar
Da_Joomlian
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 199
Joined: Mon Jun 18, 2007 9:24 am

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by Da_Joomlian » Tue Apr 08, 2008 12:37 pm

can you pm me the website link ? I will try to solve it

pablojgm
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Apr 08, 2008 3:35 pm

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by pablojgm » Tue Apr 08, 2008 3:38 pm

The problem seems to be in line "if ($session_id != session_id()) {"

I echo both values but the first one is empty so we all get Invalid Session.

Wanna try by yourself? Try this and surf through your admin pages.

if ($session_id != session_id()) {
// session id does not correspond to required session format
echo ($session_id . "-" . session_id());
//echo "<script>document.location.href='index.php?mosmsg=Sesión Inválida'</script>\n";
//exit();
}

whitetigerx
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Jan 23, 2008 10:27 am

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by whitetigerx » Wed Apr 09, 2008 7:54 pm

I managed to fix this problem once and for all.

The session error is occurring for me because my client's host has configured the server (shared hosting) to have a shared session directory rather than individual sessions per domain and per account. On cPanel hosts this shouldn't be a problem since sessions are configured for each domain individually. Although it is unlikely that many people will have the same problem as me, changing joomla's code can prevent joomla for logging you out for session errors.

I might add that because of the changes that need to be made, it will open a security vulnerability because any session that is initiated by another user can be used to access the back-end because the session ID are the same - which are null values. For example, session id = "" for both users. Therefore, even thought they would need to login to admin with a username and password to successfully access the joomla back-end, they could simply type in the URI of say administrator/index2.php and they will be granted access.

This is not a problem for me because the joomla installation is not publicly accessible and is an extranet for a business, so the security vulnerability is not extensive in this case.

All of this applies to the Includes/Joomla.php file.

VERY IMPORTANT If you have used any other fixes, etc, you should download the installation files from the package repository on Joomla's main website and copy back any files you have edited overwriting the changes. If you fail to do this then Joomla will not load, I've tried it and that's how I know.

Another thing is that after applying this patch, you will need to make your site inaccessible to any other users including yourself whilst you access the administrator section. This is because if another user accesses the website, they will start a session of ID="", the same as yours - this will cause the back-end to tell you that are not authorised to use this resource. I have tested it extensively and it ONLY happens when other users are on the site.

Now for the fix, applied to Joomla 1.0.15 or Joomla 1.0.13:

Firstly, you should find line 872. All of the lines executing the exit() function should be commented and so should any $mos echos as they will log you out and take you back to the admin index page respectively. Do not edit the first part of the conditional else function (the one for session.auto_start) as there is no need to do this.

Code: Select all

			// no session_id as user has not attempted to login, or session.auto_start is switched on
			if (ini_get( 'session.auto_start' ) || !ini_get( 'session.use_cookies' )) {
				echo "<script>document.location.href='index.php?mosmsg=You need to login. If PHP\'s session.auto_start setting is on or session.use_cookies setting is off, you may need to correct this before you will be able to login.'</script>\n";
			} else {
				//echo "<script>document.location.href='index.php?mosmsg=You need to login'</script>\n";
			}
			//exit();
		} else {
			// session id does not correspond to required session format
			//echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n";
			//exit();
		}
Then the session ID check needs to be commented as well as the previous one. The return value from the session check needs to return a valid session ID so there needs to be an echo. This is demonstrated as follows (you will need to find this in the code yourself). The previous user kindly suggested this.

Code: Select all

if ($session_id != session_id()) {
			// session id does not correspond to required session format
			echo ($session_id . "-" . session_id());
			//echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n";
			//exit();
		}
All of the changes MUST be made or there will be no change. If you fail to do the first bit then you will just be constantly logged out until you finish the fix.

Effectively, this removes session checking and validation. Hence, all users have the same session ID.

As I have indicated, this fix opens up a security hole, so do this at your own risk.

WAY TO FIX THE SECURITY HOLE

Password protect the administrator directory using .htaccess files, or use the relevant cPanel/SSH utilities.

I suspect that this may still cause errors with user logins as each user will have the same session ID, so if two users login and use the CMS at the same time, I suspect that they will either cause a database error or access the same database records. Any recommendations for this are welcomed.

Hope it helps.

suppie
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Apr 08, 2008 10:35 am

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by suppie » Thu Apr 10, 2008 10:46 am

Hi,

found a solution for my problem. In the log file of apache /var/log/apache2/error_log there was a hint:

> Allowed memory size of 8388608 bytes exhausted (tried to allocate 18432 bytes)

I increased the allowed memory size from 8mb to 32mb (in php.ini, parameter: memory_limit) and now the invalid session error is gone and everything is working fine.

imaam
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Apr 08, 2008 10:20 pm

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by imaam » Mon Apr 14, 2008 11:38 pm

Hi,

I have Joomla 1.0.15, php-5.2.5,

1st day after installation everything was fine. but after 2 days, I started having Invalid Session problem.

I made,
session.auto_start =1

also applied the code suggessted above. Memory Limit is 128M

Please help me out.

:'(

waderw24
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Sat Oct 21, 2006 2:25 am
Location: VA, USA

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by waderw24 » Tue Apr 29, 2008 1:35 am

me too! i am having the same issue only I installed JCE and next thing I know I'm getting "Invalid Session" >:(
Joomla! n00b - Thanks for your patience while I learn! :)

alfabravoteam
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Wed Aug 01, 2007 5:51 pm

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by alfabravoteam » Wed Apr 30, 2008 7:14 pm

Is this related exclusively to 1.0.15? I'm looking for topics talking about this version 'cause I'm intended to update my v1.0.12 site.

I found disturbing the case where the memory limit was increased in php.ini, the code fix was done and the problem remains.

waderw24
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Sat Oct 21, 2006 2:25 am
Location: VA, USA

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by waderw24 » Wed Apr 30, 2008 7:29 pm

I resolved my issue by placing a php.ini in my site's root and also in my Joomla Admistrator directory.
Joomla! n00b - Thanks for your patience while I learn! :)

alfabravoteam
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Wed Aug 01, 2007 5:51 pm

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by alfabravoteam » Wed Apr 30, 2008 7:34 pm

waderw24 wrote:I resolved my issue by placing a php.ini in my site's root and also in my Joomla Admistrator directory.
Shouldn't this file be AWAY from public access? I mean, you're placing the file in a directory served by the web server (apache). That kind of hack was ussual when kick-starting php with IIS, but IMHO is not the best solution AT ALL.
"Verba volant, scripta manent"

waderw24
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Sat Oct 21, 2006 2:25 am
Location: VA, USA

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by waderw24 » Thu May 01, 2008 5:08 pm

I guess so. Is there a better way to handle the php.ini file? Where would you recommend I place it or configure it?
Joomla! n00b - Thanks for your patience while I learn! :)

alfabravoteam
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Wed Aug 01, 2007 5:51 pm

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by alfabravoteam » Fri May 02, 2008 2:41 am

waderw24 wrote:I guess so. Is there a better way to handle the php.ini file? Where would you recommend I place it or configure it?
Well, right now i'm using 1.0.12, so i'm not having such a problem in my site at this time. Somehow, i'm interested in applying the patch-to-1.0.15, but i've found oh-so-many topics about this... the joomla! site MUST work without a php.ini in the root of the site. Setiing a folder with 777 permissions, using this hack or the session_id validation I've seen somewhere in this forum in order to be able to login... that kind of things must be out of the options available because they expose the websites to attacks. And it's obvious: you can't keep a site with such security flaws as a response to a misunderstood (or poorly explained) development.

If there's any change in the configuration of the php engine that should be done in order to make your site to work, it should be done in the php.ini located in /etc/php5/ or so, or in C:\Program Files\PHP5\ if working on Windows. If your site is located in some external hosting service and they say "no way" to your request of changing the PHP settings, ask them or find somebody that offers this 'tuning' option or even someone that uses virtualization, so every single site has a sepparate environment.

I've already downloaded the patch, i don't pretend to be a joomla guru or so, but i guess it would be nice to patch my site and i hope i can replicate the error and luckily, solve it somehow.
"Verba volant, scripta manent"

imaam
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Apr 08, 2008 10:20 pm

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by imaam » Thu May 08, 2008 12:05 am

Hi,

I am using 1.5.3 and didn't had this issue. :)

alfabravoteam
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Wed Aug 01, 2007 5:51 pm

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by alfabravoteam » Thu May 08, 2008 5:29 am

imaam wrote:Hi,

I am using 1.5.3 and didn't had this issue. :)
Fresh install or upgraded?
"Verba volant, scripta manent"

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by rliskey » Sun Oct 12, 2008 9:28 am

I got the invalid session error on administrator login after upgrading with the 1.0.13 to 1.0.15 patch.

The error was resolved by replacing all files in /administrator/ and /include/ using the full 1.0.15 installer (not the patch). Does the 1.0.13 to 1.0.15 patch maybe have a corrupted file?

aaanativearts
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 203
Joined: Fri Aug 04, 2006 12:38 pm

Re: Invalid Session after upgrading to 1.0.13 and 1.0.15

Post by aaanativearts » Sat Jan 21, 2012 6:19 am

First I tried all the solutions offered in this 4 page thread athttp://forum.joomla.org/viewtopic.php?p=1625361 and none of them worked for me, although they solved the problem for a lot of people. After I tried each one, I reverted it back to the original files.

I then applied the fix files referenced at http://forum.joomla.org/viewtopic.php?t=200725 and it still didn't work, but I didn't change them back yet.

Then I realized my absolute paths in the configuration file reference mydomain.com (without the www.) but I was trying to access the admin panel from http://www.mydomain.com/administrator/
When I dropped the www. now it works normally, without the invalid session problem.

Don't know if it was a combination of the two things, or just the last that fixed it.


Locked

Return to “Upgrading - 1.0.x”