Joomla 2.5的会话固定

Question

影响：可以窃取或操作客户会话和cookies，这些会话和cookie可能用于模拟合法用户，允许黑客查看或更改用户记录，并以该用户的身份执行事务。

建议的解决方案是在用户登录时更新会话ID，以防止会话固定攻击。此修复可以在代码级别或框架级别进行，具体取决于会话管理功能的实现位置。

我想找个办法解决这个问题，但我还是没有成功。任何人都可以在Joomla 2.5中帮助解决这个问题吗？

我想在框架级别上实现这个修复。任何帮助都将不胜感激。

Answer 1

“谢谢你”！这很有帮助。使用您建议的解决方案，我为Joomla 2.5解决了它。

只有很少的更改；对于Joomla2.5，需要将代码放在

1. 库/joomla/application/application.php
2. 库/joomla/session/session.php

在application.php w.r.t中您的解决方案

public function login($credentials, $options = array())
    {
        // Get the global JAuthentication object.
        jimport('joomla.user.authentication');

        $authenticate = JAuthentication::getInstance();
        $response = $authenticate->authenticate($credentials, $options);

        // Import the user plugin group.
        JPluginHelper::importPlugin('user');

        if ($response->status === JAuthentication::STATUS_SUCCESS)
        {
             $session = &JFactory::getSession();
                    // we fork the session to prevent session fixation issues
             $session->fork();
            // validate that the user should be able to login (different to being authenticated)
            // this permits authentication plugins blocking the user
            $authorisations = $authenticate->authorise($response, $options);

在session.php中，对代码进行了如下更新

public function fork()
    {
        if ($this->_state !== 'active')
        {
            // @TODO :: generated error here
            return false;
        }

        // Save values
        $values = $_SESSION;

        // Keep session config
        /*$trans = ini_get('session.use_trans_sid');
        if ($trans)
        {
            ini_set('session.use_trans_sid', 0);
        } */
        $cookie = session_get_cookie_params();

        // Create new session id
        //$id = $this->_createId();

            session_regenerate_id(true);
            $id = session_id();

            // first we grab the session data
            $data = $this->_store->read();

        // Kill session
        session_destroy();

        // Re-register the session store after a session has been destroyed, to avoid PHP bug
        $this->_store->register();

        // Restore config
        ini_set('session.use_trans_sid', $trans);
        session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure']);

        // Restart session with new id
        session_id($id);
        session_start();

        $_SESSION = $values;

            //now we put the session data back
            $this->_store->write($id, $data);

        return true;
    }

Answer 2

我这么做是为了Joomla 3.x版本。在2.5中应该是类似的。您应该修改两个文件以使此工作。

1. 库/cms/application/cms.php
2. 库/joomla/session/session.php

在cms.php中修改函数登录

 // Import the user plugin group.
            JPluginHelper::importPlugin('user');

            if ($response->status === JAuthentication::STATUS_SUCCESS)
            {
                    $session = &JFactory::getSession();
                    // we fork the session to prevent session fixation issues
                    $session->fork();

                    /*
                     * Validate that the user should be able to login (different to being authenticated).
                     * This permits authentication plugins blocking the user.
                     */
                    $authorisations = $authenticate->authorise($response, $options);

在session.php中，将函数叉()更改为包含

function fork()
    {
            if( $this->_state !== 'active' ) {
                    // @TODO :: generated error here
                    return false;
            }

            // save values
            $values = $_SESSION;

            // keep session config
            /*$trans        =       ini_get( 'session.use_trans_sid' );
            if( $trans ) {
                    ini_set( 'session.use_trans_sid', 0 );
            } */
            $cookie =       session_get_cookie_params();
            // create new session id
            //$id   =       $this->_createId( strlen( $this->getId() ) );
            session_regenerate_id(true);
            $id = session_id();

            // first we grab the session data
            $data = $this->_store->read($this->getId());

            // kill session
            session_destroy();

            // re-register the session store after a session has been destroyed, to avoid PHP bug
            $this->_store->register();

            // restore config
            ini_set( 'session.use_trans_sid', $trans );
            session_set_cookie_params($cookie['lifetime'], $cookie['path'], $cookie['domain'], $cookie['secure'], true);

            // restart session with new id
            session_id( $id );
            //session_regenerate_id(true);
            session_start();
            $_SESSION = $values;

            //now we put the session data back
            $this->_store->write($id, $data);
            return true;
    }