#253 - Prevent session fixation by forking active sessions on login

joomlatools · Oct 27, 2015 · 648ed92 · 648ed92
1 parent 0e0c8ee
commit 648ed92
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 17 deletions.
diff --git a/lib/libraries/cms/application/cms.php b/lib/libraries/cms/application/cms.php
@@ -739,8 +739,11 @@ public function login($credentials, $options = array())
 		{
             $session = JFactory::getSession($options);
 
+            // Fork the session to prevent session fixation issues if it's already active
             if($session->getState() != 'active') {
                 $session->start();
+            } else {
+                $session->fork();
             }
 
             /*

diff --git a/lib/libraries/joomla/session/session.php b/lib/libraries/joomla/session/session.php
@@ -743,29 +743,43 @@ public function restart()
 	 */
 	public function fork()
 	{
-		if ($this->_state !== 'active')
-		{
-			// @TODO :: generated error here
-			return false;
-		}
+        if($this->_state !== 'active') {
+            return false;
+        }
 
-		// Keep session config
-		$cookie = session_get_cookie_params();
+        // Keep the old values
+        $values	= $_SESSION;
 
-		// Kill session
-		session_destroy();
+        $trans = ini_get('session.use_trans_sid');
+        if( $trans ) {
+            ini_set( 'session.use_trans_sid', 0 );
+        }
+        $cookie	= session_get_cookie_params();
 
-		// Re-register the session store after a session has been destroyed, to avoid PHP bug
-		$this->_store->register();
+        // Generate a new ID
+        session_regenerate_id(true);
+        $id = session_id();
 
-		// Restore config
-		session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], true);
+        $data = $this->_store->read($this->getId());
 
-		// Restart session with new id
-		session_regenerate_id(true);
-		session_start();
+        // Kill the session
+        session_destroy();
 
-		return true;
+        // Re-register the session store after a session has been destroyed, to avoid PHP bug
+        $this->_store->register();
+
+        // Restore config
+        ini_set( 'session.use_trans_sid', $trans);
+        session_set_cookie_params( $cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure']);
+
+        // Restart session with new id
+        session_id($id);
+        session_start();
+
+        $_SESSION = $values;
+
+        // Now put the session data back
+        $this->_store->write($id, $data);
 	}
 
 	/**