phpsessionauthenticationjoomla2.5session-fixation

session fixation in Joomla 2.5

Impact that this can cause: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.

And recommended solution to prevent session fixation attacks is to renew the session ID when a user logs in. This fix can be done at the code level or framework level, depending on where the session management functionality is implemented.

I'm trying to find a fix for this and still i'm not successful. Anyone can help how to fix this in Joomla 2.5?

I want to implement this fix at framework level. Any help will be appreciated.

Solution

  • Thanks a lot @ryadavalli ! It is very helpful. Using your suggested solution, I solved it for Joomla 2.5.

    Only few changes; for Joomla 2.5 the code needs to be placed in

    1. libraries/joomla/application/application.php
    2. libraries/joomla/session/session.php

    In application.php w.r.t your solution

    public function login($credentials, $options = array())
    {
        // Get the global JAuthentication object.
        jimport('joomla.user.authentication');

        $authenticate = JAuthentication::getInstance();
        $response = $authenticate->authenticate($credentials, $options);

        // Import the user plugin group.
        JPluginHelper::importPlugin('user');

        if ($response->status === JAuthentication::STATUS_SUCCESS)
        {
             $session = &JFactory::getSession();
                    // we fork the session to prevent session fixation issues
             $session->fork();
            // validate that the user should be able to login (different to being authenticated)
            // this permits authentication plugins blocking the user
            $authorisations = $authenticate->authorise($response, $options);

    In session.php, updated the code as following

    public function fork()
    {
        if ($this->_state !== 'active')
        {
            // @TODO :: generated error here
            return false;
        }

        // Save values
        $values = $_SESSION;

        // Keep session config
        /*$trans = ini_get('session.use_trans_sid');
        if ($trans)
        {
            ini_set('session.use_trans_sid', 0);
        } */
        $cookie = session_get_cookie_params();

        // Create new session id
        //$id = $this->_createId();

            session_regenerate_id(true);
            $id = session_id();

            // first we grab the session data
            $data = $this->_store->read();

        // Kill session
        session_destroy();

        // Re-register the session store after a session has been destroyed, to avoid PHP bug
        $this->_store->register();

        // Restore config
        ini_set('session.use_trans_sid', $trans);
        session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure']);

        // Restart session with new id
        session_id($id);
        session_start();

        $_SESSION = $values;

            //now we put the session data back
            $this->_store->write($id, $data);

        return true;
    }