Joomla how to regenerate the session ID to prevent session fixation

Joomla 1.5.15

I need to renew the session ID when a user logs in to prevent session fixation that is possible in 1.5.15. I realise I can update to latest version and would be fixed but for various reasons I can't update right now.

I have an authentication plugin which handles the logins (I don't use the #__users table), in my plugin 开发者_开发知识库I authenticate a user/pass with a web service. I would like to be able to regenerate th session ID at this point in the plugin.

I have tried simply session_regenerate_id() which does renew it but I lose all session data and can't login. I know Joomla uses its own session classes but I don't know if there is a function to do this.

Thanks

Use JSession::fork().

$session =& JFactory::getSession();
$session->fork();

All it really does is session_regenerate_id() in the background, but it makes sure the session is active first before it does so. You shouldn't lose any data by doing this (and if you do, there may be a bug somewhere)...

For Joomla 2.5 and Joomla 3.5 session fixation you can refer to the solution suggested for session fixation in Joomla 2.5