The Joomla! Community Portal ™

Sun

12

Feb

2006

Important change to session handling in 1.0.8
Written by Rey Gigataras   
Sunday, 12 February 2006 14:09
An important change is taking place in Frontend session handling in the upcoming 1.0.8 release. * This change may affect 3rd party bridging components *

The problem

This change is to address 2 problems:
  1. Problems with some users staying logged into the frontend
  2. Hugely inflated session counts
The first problem is caused by the way Joomla! handles session tracking. Basically it means that people accessing the net behind proxy banks - like AOL users - will not be able to stay logged into the frontend. This problem then also creates more than one session for a user to be generated - leading to an inflated session count.
This overinflation of the session count can best be demonstrated by the abnormally large who's online count sometimes returned - however this also due to another problem which hopefully we have solved.
For those wanting to read a more technical explanation of the issues please read Steve Grahams excellent discussion on the subject

New Global Config Param

This has led to a new Global Configuration parameter in 1.0.8 that allows you to control the manner of Session Authentication used by Joomla!:
GC Session Param
The default is to used the highest setting - with two other options. One catering for proxy bank users and the other a pre 1.0.8 compatibility method. Those wanting to find out the exact mechanics of the change should read on To fix these two interelated problems the manner and when sessions are generated in the frontend has changed.

Change in Session ID created

Formerly a Joomla! and Mambo Session ID was a random number plus the Full IP of the user. Using the full IP casues problems for those behind proxy banks - to cater for this there is now an option to only use the first 3 values of an IP - subnet. So if you had an IP of 127.0.0.1 - you could authenticate against only 127.0.0 This obviously leads to a lessening of security. So to account for this, it was decided to make sessions more secure. So instead of only a random number and the IP. The User Agent information of a user and the mosConfig_secret value is also used to create a session ID.
User Agent information is based on the browser and system you are using to browse the web and might look like this: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 mosConfig_secret is a random number generated when you install Joomla for the first time. So is a fairly unique identifier of a Joomla site.
So now in the global config option, one can select from 3 different ways of generating Session IDs
  1. 1. mosConfig_secret + Random Number + Full IP + User Agent
  2. 2. mosConfig_secret + Random Number + Subnet IP + User Agent
  3. 3. Random Number + Full IP
By default Setting 1. is used - however for those with high number of users accessing behind proxy banks they can switch to Setting 2. We do not recommend using the 3 setting - which is the old way of generating session ID - unless you are using briging applications.

Change in when Sessions are created

The other change is that instead of immediately creating a session in the mos_session table when a person visits your site. A cookie is sent to the visitor and on the second request to your site, the system checks for this cookie and if it can be found a session is then created for the site visitor.
This should mean that search engine spiders (which cant accept cookies) will not get assigned a session value. This is because if a site is well spidered in the pre 1.0.8 system its conceivable that a spider will create a new session entry (in mos_session) for every page it visits on your site - which can lead to a huge number of sessions being created. As an example this fix is now used on www.joomla.org and in 1.0.7 it was reporting +9000 sessions consistently - with this fix, it now shows a more reasonable +150 count. This should also mean there is less chance of the session table becoming corrupted - which has been reported as occuring at times.
The drawback is that it takes 2 page requests to your site for a visitor to start being tracked - which means that your who's online count will be slightly undervalued. Note: this change will not affect general statistics tracking

Thanks

I'd like to thank Steve Graham in helping so succintly to explain the issues and problems on the forums. However more impotantly he also proposed a solution. For the most part the final solution adopted is his, with suggestions and modifications by community members and Joomla! core members. Also many thanks to the community members who helped in debugging, adding suggestions and commenting on the work.