Comprehensive Solution For Joomla Admin Session Problem After Upgrading To Joomla 1.0.13

Joomla logoJoomla 1.0.12 was known to have security problem so that Joomla users were urged to upgrade their Joomla to Joomla 1.0.13. For some users, upgrading went smoothly. However, others reported that there was problem with Joomla administrator login. It forced them to logout immediately after entering Joomla admin panel. Message found was either “Invalid Login”, “Admin Session Expired”, or “You need to login”. Did you also experience this issue? This article may help you explaining why it occured and alternative solutions available.

Active Session Id Verification in Joomla 1.0.13

If you follow Joomla development and compare how Joomla admin authentication works, you will notice that Joomla 1.0.13 implements internal active session id verification for the administrator login. This change prevents session fixation attempt and add more security to joomla authentication by ensuring current session id used is still active and uses Joomla’s session namespace.

However, Joomla 1.0.13 was shipped with broken session handler for administrator authentication. A new session namespace and id were generated when somebody pressed buttons other than “save” and “task” even if the session was not expired yet. Consequently, user experienced forced logout.

Quick Solution For Those Who Are In Hurry

Rob Schley from Joomla Development Team has posted a solution to this problem in Joomla forum. The solution contains patches for two files: includes/joomla.php and administrator/index.php. You can simply replace both files and check if it works by logging in to Joomla administrator. If you are still forced to log out when you click some buttons, it’s wise to also implement this change to file administrator/index2.php. If none of these changes relieve your headache, you may need to read the rest of this article and find the reason why.

Your Server Settings May Hinder You From Saving Session In Files

In some cases, server has different configuration from what Joomla expects. The picture belows describe how an uncommon configuration may lead to Joomla malfunction.

Php.ini uncommon session config

Default value for session.save_handler is “files”. For value “user”, a custom session handler has to be enacted by user which is currently not supported in native Joomla implementation. For session.save_path directive, extra check needs to be made to make sure that the path is readable and writable by Apache (or php handler) user id

If you do “phpinfo()” and get exact configuration values like the picture above, you may consider implementing the solution below.

Final Solution

My alternative patch for Joomla 1.0.13 can be downloaded from: http://dev.amikelive.com/joomla1/component/ option,com_remository/Itemid,5/func,select/id,2/

This patch combines both fixes mentioned earlier and add mechanism for forcing session module name and storage place.

How to invoke this fix:

  1. Backup your joomla files
  2. Copy the files in the zip into their respective folders
  3. Create a folder named session in your joomla installation directory (the directory where index.php exists)
  4. Give Apache (or php handler) user permission to write into the directory (you can chmod the directory to 777 or alike)
  5. Test logging into joomla admin panel.

If you still have issues with joomla admin session problem, please give comment to this post. Good luck!

22 thoughts on “Comprehensive Solution For Joomla Admin Session Problem After Upgrading To Joomla 1.0.13

  1. stuart

    I can’t get rid of the admin session problem

    Tried every fix going

    If I reload site and DB everything works fine until the admin session times out. After that happens keep getting invalid session in URL

    Any more ideas????

    Reply
  2. Tech Admin Post author

    @Stuart, Andrew
    If you still have problem after upgrading to (upcoming) Joomla 1.0.14, please post more details on how to replicate the error later. At this stage, I can only say that the fixes will work most of time unless it’s another bug undiscovered or different server setup overlooked in developer’s test.

    Reply
  3. Shamanda

    Session path: /home2/priveth/public_html/vb/session is not writable

    ( I have set permission to 777 and still get error that is not writable )

    i’m using Joomla 1.0.13 help

    Reply
  4. Will

    This is something I see repeatedly in 1.0.14 as well.
    Unfortunately though, I can not seem to determine a pattern for when or why it logs out the back-end user.

    I’m not sure if it is necessarily related but I have trouble on the front-end as well. Registered users can log in (they are marked as logged in from the back-end) but are not awarded any of the “privileges” that are set for a logged in user. Neither does the com_login module recognise them as logged in on the front-end.

    Interestingly enough, none of this happens on PHP5. I have 2 copies of this site, one on PHP4.4.7 and another (local) on PHP5. The problems only occur on the 4.4.7 site…

    Reply
  5. Klaus

    I also encounter this annoying invalid session bug after upgrading Joomla from 1.0.13 to 1.0.15 even after applying this fix.
    phpinfo() says:
    session.save_handler files files
    session.save_path /home/www/XXXXXX/phptmp /home/www/XXXXXX/phptmp

    However, session files are still created in /home/www/XXXXXX/phptmp and not in Joomla’s new session directory located in /home/www/XXXXXX/html/cms/session (rights: 777 as advised).

    Any help would be greatly appreciated!

    Reply
  6. Jack

    Wow, your fix is a life-saver so far. Too bad it took me about 3 hours to find it but still – you rock!

    Reply
  7. Tech Admin Post author

    @Klaus
    i noticed there are two session.save_path? this approach assumes that there is only single session directory which is unwritable and it will redirect session creation to another folder which is writable by php script.

    @Jack
    Glad to know you solve the problem.

    Reply
  8. Captain Nemo

    Interesting. I followed the instructions on patching my 1.0.12 version to 1.0.15. Luckily, this is a /dev/ account so my live site is still working.

    I attempted to log in and received the “Invalid Session” message. I fired up phpMyAdmin 2.11.0 and saw the “salted” password. So I changed the hash to the known hash for “admin”.

    When I tried using “admin”, “admin” I was given the “Invalid Session” again. Looking through phpMyAdmin the hash for “admin” which I had just put in was completely different along with salting. Is this what is supposed to happen?

    I haven’t tried the fixes above in the php files but when I encountered this problem in the past I was able to circumvent it using the method above. What gives now?

    Reply
  9. Tech Admin Post author

    @Captain Nemo
    What table did you modify? If you modify “users” table, it could be another issue. The hash in “session” table is auto generated by some mechanisms thus you can not simply change or the system will try to create a new one.

    Reply
  10. Captain Nemo

    I modified the “users” table.

    The whole process:

    Copied jos_ tables to dev_ tables (host only gives 1 sql database)
    Copied live 1.0.12 to dev folder.
    Changed configuration.php to reflect new pointers.
    Uploaded. Front-end and back-end of both live and dev sites worked and from correct tables.

    Unzipped patch 1.0.12 to 1.0.15 over my dev folder.
    Uploaded dev site again.

    Live site still works fine, but dev site won’t allow login. The site itself runs fine but obviously I cannot add, change, or delete anything if I can’t get into the administrator area.

    Using phpMyAdmin I went to the “dev_users” table. I took my admin account and changed the hash to “admin” (21232f297a57a5a743894a0e4a801fc3). I tried to log in and got the Invalid Session error.

    I refreshed the table in phpMyAdmin and the password for admin is now
    8aeade92ead0dbf6067b0c127c50496b:QF1rEQNs8U734r6d.

    If I type in an incorrect password my dev_users table remains unchanged. So this is where I am currently. Did I do something wrong?

    Reply
  11. stancafe

    This is the only patch that really works, i tried many of them, even upgraded to 1.0.15 but still the same ERROR

    THIS IS THE ONLY WORKING PATCH. Its also working if your facing session problem on 1.0.15 , i tried it on my test mirror.

    THANK YOU 10000000000000 times 😉

    bye

    Reply
  12. Eduard Fiedler

    I used your fix process, but then my joomla wrote this:
    Warning: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/var/lib/php5) is not within the allowed path(s): (/data/ceskamoda/html) in
    Do you know, how can I fix it?

    Reply
  13. nietzsche

    @captain nemo I got the excat same problem with an 1.0.15 version of joomla. It seems to be keep changing my password in the database (table jos_users) anybody knows how to fix this?

    Thanks in advance!

    Reply
  14. Tech Admin Post author

    @Eduard
    The error “open_basedir restriction in effect” refers to a situation in which a user is restricted from opening files owned by another user. The error itself is explainable since /var/lib/php5 is owned by system and /ceskamoda/html is your own directory.

    However, my patch adds is_readable call to certain file and i didn’t find the filename for your error message. Hence, the self-explanatory error message becomes bogus. It could be something related to my fix or joomla’s. Considering my patch was made for 1.0.13 and I haven’t verified for newer version, I couldn’t verify the real cause and solution for your case, unless I look at and fiddle with it by myself.

    Reply
  15. Val

    I’m on Joomla 1.10.15, discovered the same problem: either “Admin session expired” or “Invalid session”

    I can successfully logon into the backend.
    After that I open any item, in the WYSIWYG editor click the button that engages html editor plugin. It opens a new FF tab (as it should) but instead of showing the editor (as before) the tab contains new instance of login screen with “Admin session expired” message above.

    I’ve applied the patch, cleared cache etc. etc., but to no avail – nothing has changed.

    Reply
  16. Bernard H

    I faced a very annoying spurious logout issue with JOOMLA 1.0.15 manifesting itself in very few places: the nBill component while editing an order form field, and the native JOOMLA media manager central panel.

    I actually applied the fix documented at
    https://tech.amikelive.com/node-41/comprehensive-solution-for-joomla-admin-session-problem-after-upgrading-to-joomla-1013/
    with some changes so that 1.0.15 improvements are preserved.
    You achieve the result using Eclipse Compare editor facilities for instance and move changes one by one over the 1.0.15 files considering their relevance in turn.

    You can also download a zip of my own patched files (at your own risk) here: http://www.reversexsl.com/PublicPatches/Joomla1015-logoutPatch.zip

    Reply
  17. Matt

    My server got hacked through a site I hadn’t had time to upgrade or do anything with and I’ve had a lot of problems on various domains since, including the dreaded 1.13 Admin “Invalid Session” error.

    You are a life saver! Now on to the rest of the fixes.

    Reply
  18. David Thomas

    I have Joomla Version 1.015 which up till recently, last 3 months was working fine. Now I am geting hte issue of invalid logins happening all the time. Sometimes its fine, the next it happens continually despite logging in all the time.

    Is there a specific fix for the 1.015 version?

    Reply
  19. George K.

    Just uploaded the 2 files:

    1) administrator/index.php
    2) includes/joomla.php

    and everything fell into place.

    Thank you!!!

    George K.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *