Joomla 1.0.12 was known to have security problem so that Joomla users were urged to upgrade their Joomla to Joomla 1.0.13. For some users, upgrading went smoothly. However, others reported that there was problem with Joomla administrator login. It forced them to logout immediately after entering Joomla admin panel. Message found was either “Invalid Login”, “Admin Session Expired”, or “You need to login”. Did you also experience this issue? This article may help you explaining why it occured and alternative solutions available.
Active Session Id Verification in Joomla 1.0.13
If you follow Joomla development and compare how Joomla admin authentication works, you will notice that Joomla 1.0.13 implements internal active session id verification for the administrator login. This change prevents session fixation attempt and add more security to joomla authentication by ensuring current session id used is still active and uses Joomla’s session namespace.
However, Joomla 1.0.13 was shipped with broken session handler for administrator authentication. A new session namespace and id were generated when somebody pressed buttons other than “save” and “task” even if the session was not expired yet. Consequently, user experienced forced logout.
Quick Solution For Those Who Are In Hurry
Rob Schley from Joomla Development Team has posted a solution to this problem in Joomla forum. The solution contains patches for two files: includes/joomla.php and administrator/index.php. You can simply replace both files and check if it works by logging in to Joomla administrator. If you are still forced to log out when you click some buttons, it’s wise to also implement this change to file administrator/index2.php. If none of these changes relieve your headache, you may need to read the rest of this article and find the reason why.
Your Server Settings May Hinder You From Saving Session In Files
In some cases, server has different configuration from what Joomla expects. The picture belows describe how an uncommon configuration may lead to Joomla malfunction.
Default value for session.save_handler is “files”. For value “user”, a custom session handler has to be enacted by user which is currently not supported in native Joomla implementation. For session.save_path directive, extra check needs to be made to make sure that the path is readable and writable by Apache (or php handler) user id
If you do “phpinfo()” and get exact configuration values like the picture above, you may consider implementing the solution below.
My alternative patch for Joomla 1.0.13 can be downloaded from: http://dev.amikelive.com/joomla1/component/ option,com_remository/Itemid,5/func,select/id,2/
This patch combines both fixes mentioned earlier and add mechanism for forcing session module name and storage place.
How to invoke this fix:
- Backup your joomla files
- Copy the files in the zip into their respective folders
- Create a folder named session in your joomla installation directory (the directory where index.php exists)
- Give Apache (or php handler) user permission to write into the directory (you can chmod the directory to 777 or alike)
- Test logging into joomla admin panel.
If you still have issues with joomla admin session problem, please give comment to this post. Good luck!