Joomla 1.0.12 was known to have security problem so that Joomla users were urged to upgrade their Joomla to Joomla 1.0.13. For some users, upgrading went smoothly. However, others reported that there was problem with Joomla administrator login. It forced them to logout immediately after entering Joomla admin panel. Message found was either “Invalid Login”, “Admin Session Expired”, or “You need to login”. Did you also experience this issue? This article may help you explaining why it occured and alternative solutions available.
Active Session Id Verification in Joomla 1.0.13
If you follow Joomla development and compare how Joomla admin authentication works, you will notice that Joomla 1.0.13 implements internal active session id verification for the administrator login. This change prevents session fixation attempt and add more security to joomla authentication by ensuring current session id used is still active and uses Joomla’s session namespace.
However, Joomla 1.0.13 was shipped with broken session handler for administrator authentication. A new session namespace and id were generated when somebody pressed buttons other than “save” and “task” even if the session was not expired yet. Consequently, user experienced forced logout.
Quick Solution For Those Who Are In Hurry
Rob Schley from Joomla Development Team has posted a solution to this problem in Joomla forum. The solution contains patches for two files: includes/joomla.php and administrator/index.php. You can simply replace both files and check if it works by logging in to Joomla administrator. If you are still forced to log out when you click some buttons, it’s wise to also implement this change to file administrator/index2.php. If none of these changes relieve your headache, you may need to read the rest of this article and find the reason why.
Your Server Settings May Hinder You From Saving Session In Files
In some cases, server has different configuration from what Joomla expects. The picture belows describe how an uncommon configuration may lead to Joomla malfunction.
Default value for session.save_handler is “files”. For value “user”, a custom session handler has to be enacted by user which is currently not supported in native Joomla implementation. For session.save_path directive, extra check needs to be made to make sure that the path is readable and writable by Apache (or php handler) user id
If you do “phpinfo()” and get exact configuration values like the picture above, you may consider implementing the solution below.
Final Solution
My alternative patch for Joomla 1.0.13 can be downloaded from: http://dev.amikelive.com/joomla1/component/ option,com_remository/Itemid,5/func,select/id,2/
This patch combines both fixes mentioned earlier and add mechanism for forcing session module name and storage place.
How to invoke this fix:
- Backup your joomla files
- Copy the files in the zip into their respective folders
- Create a folder named session in your joomla installation directory (the directory where index.php exists)
- Give Apache (or php handler) user permission to write into the directory (you can chmod the directory to 777 or alike)
- Test logging into joomla admin panel.
If you still have issues with joomla admin session problem, please give comment to this post. Good luck!
I can’t get rid of the admin session problem
Tried every fix going
If I reload site and DB everything works fine until the admin session times out. After that happens keep getting invalid session in URL
Any more ideas????
I also get the error when trying to navigate anywhere in the backend, I have tryed these fixes to no avail…HELP!
@Stuart, Andrew
If you still have problem after upgrading to (upcoming) Joomla 1.0.14, please post more details on how to replicate the error later. At this stage, I can only say that the fixes will work most of time unless it’s another bug undiscovered or different server setup overlooked in developer’s test.
Session path: /home2/priveth/public_html/vb/session is not writable
( I have set permission to 777 and still get error that is not writable )
i’m using Joomla 1.0.13 help
This is something I see repeatedly in 1.0.14 as well.
Unfortunately though, I can not seem to determine a pattern for when or why it logs out the back-end user.
I’m not sure if it is necessarily related but I have trouble on the front-end as well. Registered users can log in (they are marked as logged in from the back-end) but are not awarded any of the “privileges” that are set for a logged in user. Neither does the com_login module recognise them as logged in on the front-end.
Interestingly enough, none of this happens on PHP5. I have 2 copies of this site, one on PHP4.4.7 and another (local) on PHP5. The problems only occur on the 4.4.7 site…
This solved my problem after upgrade from 1.0.12 to 1.0.14.
Thank you.
I also encounter this annoying invalid session bug after upgrading Joomla from 1.0.13 to 1.0.15 even after applying this fix.
phpinfo() says:
session.save_handler files files
session.save_path /home/www/XXXXXX/phptmp /home/www/XXXXXX/phptmp
However, session files are still created in /home/www/XXXXXX/phptmp and not in Joomla’s new session directory located in /home/www/XXXXXX/html/cms/session (rights: 777 as advised).
Any help would be greatly appreciated!
Wow, your fix is a life-saver so far. Too bad it took me about 3 hours to find it but still – you rock!
@Klaus
i noticed there are two session.save_path? this approach assumes that there is only single session directory which is unwritable and it will redirect session creation to another folder which is writable by php script.
@Jack
Glad to know you solve the problem.
Interesting. I followed the instructions on patching my 1.0.12 version to 1.0.15. Luckily, this is a /dev/ account so my live site is still working.
I attempted to log in and received the “Invalid Session” message. I fired up phpMyAdmin 2.11.0 and saw the “salted” password. So I changed the hash to the known hash for “admin”.
When I tried using “admin”, “admin” I was given the “Invalid Session” again. Looking through phpMyAdmin the hash for “admin” which I had just put in was completely different along with salting. Is this what is supposed to happen?
I haven’t tried the fixes above in the php files but when I encountered this problem in the past I was able to circumvent it using the method above. What gives now?
@Captain Nemo
What table did you modify? If you modify “users” table, it could be another issue. The hash in “session” table is auto generated by some mechanisms thus you can not simply change or the system will try to create a new one.
I modified the “users” table.
The whole process:
Copied jos_ tables to dev_ tables (host only gives 1 sql database)
Copied live 1.0.12 to dev folder.
Changed configuration.php to reflect new pointers.
Uploaded. Front-end and back-end of both live and dev sites worked and from correct tables.
Unzipped patch 1.0.12 to 1.0.15 over my dev folder.
Uploaded dev site again.
Live site still works fine, but dev site won’t allow login. The site itself runs fine but obviously I cannot add, change, or delete anything if I can’t get into the administrator area.
Using phpMyAdmin I went to the “dev_users” table. I took my admin account and changed the hash to “admin” (21232f297a57a5a743894a0e4a801fc3). I tried to log in and got the Invalid Session error.
I refreshed the table in phpMyAdmin and the password for admin is now
8aeade92ead0dbf6067b0c127c50496b:QF1rEQNs8U734r6d.
If I type in an incorrect password my dev_users table remains unchanged. So this is where I am currently. Did I do something wrong?
This is the only patch that really works, i tried many of them, even upgraded to 1.0.15 but still the same ERROR
THIS IS THE ONLY WORKING PATCH. Its also working if your facing session problem on 1.0.15 , i tried it on my test mirror.
THANK YOU 10000000000000 times 😉
bye
I used your fix process, but then my joomla wrote this:
Warning: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/var/lib/php5) is not within the allowed path(s): (/data/ceskamoda/html) in
Do you know, how can I fix it?
@captain nemo I got the excat same problem with an 1.0.15 version of joomla. It seems to be keep changing my password in the database (table jos_users) anybody knows how to fix this?
Thanks in advance!
@Eduard
The error “open_basedir restriction in effect” refers to a situation in which a user is restricted from opening files owned by another user. The error itself is explainable since /var/lib/php5 is owned by system and /ceskamoda/html is your own directory.
However, my patch adds is_readable call to certain file and i didn’t find the filename for your error message. Hence, the self-explanatory error message becomes bogus. It could be something related to my fix or joomla’s. Considering my patch was made for 1.0.13 and I haven’t verified for newer version, I couldn’t verify the real cause and solution for your case, unless I look at and fiddle with it by myself.
I’m on Joomla 1.10.15, discovered the same problem: either “Admin session expired” or “Invalid session”
I can successfully logon into the backend.
After that I open any item, in the WYSIWYG editor click the button that engages html editor plugin. It opens a new FF tab (as it should) but instead of showing the editor (as before) the tab contains new instance of login screen with “Admin session expired” message above.
I’ve applied the patch, cleared cache etc. etc., but to no avail – nothing has changed.
I faced a very annoying spurious logout issue with JOOMLA 1.0.15 manifesting itself in very few places: the nBill component while editing an order form field, and the native JOOMLA media manager central panel.
I actually applied the fix documented at
https://tech.amikelive.com/node-41/comprehensive-solution-for-joomla-admin-session-problem-after-upgrading-to-joomla-1013/
with some changes so that 1.0.15 improvements are preserved.
You achieve the result using Eclipse Compare editor facilities for instance and move changes one by one over the 1.0.15 files considering their relevance in turn.
You can also download a zip of my own patched files (at your own risk) here: http://www.reversexsl.com/PublicPatches/Joomla1015-logoutPatch.zip
i’m using joomla 1.0.12. I did same above but it not work
My server got hacked through a site I hadn’t had time to upgrade or do anything with and I’ve had a lot of problems on various domains since, including the dreaded 1.13 Admin “Invalid Session” error.
You are a life saver! Now on to the rest of the fixes.
I have Joomla Version 1.015 which up till recently, last 3 months was working fine. Now I am geting hte issue of invalid logins happening all the time. Sometimes its fine, the next it happens continually despite logging in all the time.
Is there a specific fix for the 1.015 version?
Just uploaded the 2 files:
1) administrator/index.php
2) includes/joomla.php
and everything fell into place.
Thank you!!!
George K.