Joomla how to regenerate the session ID to prevent session fixation
Joomla 1.5.15
I need to renew the session ID when a user logs in to prevent session fixation that is possible in 1.5.15. I realise I can update to latest version and would be fixed but for various reasons I can't update right now.
I have an authentication plugin which handles the logins (I don't use the #__users table), in my plugin 开发者_开发知识库I authenticate a user/pass with a web service. I would like to be able to regenerate th session ID at this point in the plugin.
I have tried simply session_regenerate_id() which does renew it but I lose all session data and can't login. I know Joomla uses its own session classes but I don't know if there is a function to do this.
Thanks
Use JSession::fork()
.
$session =& JFactory::getSession();
$session->fork();
All it really does is session_regenerate_id()
in the background, but it makes sure the session is active first before it does so. You shouldn't lose any data by doing this (and if you do, there may be a bug somewhere)...
For Joomla 2.5 and Joomla 3.5 session fixation you can refer to the solution suggested for session fixation in Joomla 2.5
精彩评论