這可能會導致的影響:可能會竊取或操縱客戶會話和Cookie,這可能用於冒充合法用戶,允許黑客查看或更改用戶記錄,以及以該用戶的身份執行交易。Joomla 2.5中的會話固定問題
建議的防止會話修復攻擊的解決方案是在用戶登錄時更新會話ID。此修復可以在代碼級別或框架級別完成,具體取決於會話管理功能的實現位置。
我試圖找到一個解決方案,但仍然不成功。任何人都可以幫助如何解決這個在Joomla 2.5?
我想在框架級別實現此修復。任何幫助將不勝感激。
非常感謝@ryadavalli!這非常有幫助。使用你建議的解決方案,我解決了它的Joomla 2.5。
只有很少的變化;爲Joomla 2.5需要的代碼被放置在
在application.php WRT您的解決方案
public function login($credentials, $options = array())
{
// Get the global JAuthentication object.
jimport('joomla.user.authentication');
$authenticate = JAuthentication::getInstance();
$response = $authenticate->authenticate($credentials, $options);
// Import the user plugin group.
JPluginHelper::importPlugin('user');
if ($response->status === JAuthentication::STATUS_SUCCESS)
{
$session = &JFactory::getSession();
// we fork the session to prevent session fixation issues
$session->fork();
// validate that the user should be able to login (different to being authenticated)
// this permits authentication plugins blocking the user
$authorisations = $authenticate->authorise($response, $options);
在session.php文件,更新的代碼如下
public function fork()
{
if ($this->_state !== 'active')
{
// @TODO :: generated error here
return false;
}
// Save values
$values = $_SESSION;
// Keep session config
/*$trans = ini_get('session.use_trans_sid');
if ($trans)
{
ini_set('session.use_trans_sid', 0);
} */
$cookie = session_get_cookie_params();
// Create new session id
//$id = $this->_createId();
session_regenerate_id(true);
$id = session_id();
// first we grab the session data
$data = $this->_store->read();
// Kill session
session_destroy();
// Re-register the session store after a session has been destroyed, to avoid PHP bug
$this->_store->register();
// Restore config
ini_set('session.use_trans_sid', $trans);
session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure']);
// Restart session with new id
session_id($id);
session_start();
$_SESSION = $values;
//now we put the session data back
$this->_store->write($id, $data);
return true;
}
我爲Joomla 3.x版本做了這個。它應該與2.5相似。 你應該修改2個文件來完成這項工作。
庫/ CMS /應用/ cms.php
庫/的Joomla /會話/ session.php文件
在cms.php修改函數登錄
// Import the user plugin group.
JPluginHelper::importPlugin('user');
if ($response->status === JAuthentication::STATUS_SUCCESS)
{
$session = &JFactory::getSession();
// we fork the session to prevent session fixation issues
$session->fork();
/*
* Validate that the user should be able to login (different to being authenticated).
* This permits authentication plugins blocking the user.
*/
$authorisations = $authenticate->authorise($response, $options);
in session.php更改函數fork()以包含
function fork()
{
if($this->_state !== 'active') {
// @TODO :: generated error here
return false;
}
// save values
$values = $_SESSION;
// keep session config
/*$trans = ini_get('session.use_trans_sid');
if($trans) {
ini_set('session.use_trans_sid', 0);
} */
$cookie = session_get_cookie_params();
// create new session id
//$id = $this->_createId(strlen($this->getId()));
session_regenerate_id(true);
$id = session_id();
// first we grab the session data
$data = $this->_store->read($this->getId());
// kill session
session_destroy();
// re-register the session store after a session has been destroyed, to avoid PHP bug
$this->_store->register();
// restore config
ini_set('session.use_trans_sid', $trans);
session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], true);
// restart session with new id
session_id($id);
//session_regenerate_id(true);
session_start();
$_SESSION = $values;
//now we put the session data back
$this->_store->write($id, $data);
return true;
}