|Important change to session handling in 1.0.8|
|Written by Rey Gigataras|
|Sunday, 12 February 2006 14:09|
The problemThis change is to address 2 problems:
This overinflation of the session count can best be demonstrated by the abnormally large who's online count sometimes returned - however this also due to another problem which hopefully we have solved.For those wanting to read a more technical explanation of the issues please read Steve Grahams excellent discussion on the subject
New Global Config ParamThis has led to a new Global Configuration parameter in 1.0.8 that allows you to control the manner of Session Authentication used by Joomla!:
The default is to used the highest setting - with two other options. One catering for proxy bank users and the other a pre 1.0.8 compatibility method. Those wanting to find out the exact mechanics of the change should read on To fix these two interelated problems the manner and when sessions are generated in the frontend has changed.
Change in Session ID createdFormerly a Joomla! and Mambo Session ID was a random number plus the Full IP of the user. Using the full IP casues problems for those behind proxy banks - to cater for this there is now an option to only use the first 3 values of an IP - subnet. So if you had an IP of 127.0.0.1 - you could authenticate against only 127.0.0 This obviously leads to a lessening of security. So to account for this, it was decided to make sessions more secure. So instead of only a random number and the IP. The User Agent information of a user and the mosConfig_secret value is also used to create a session ID.
User Agent information is based on the browser and system you are using to browse the web and might look like this: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20060111 Firefox/22.214.171.124 mosConfig_secret is a random number generated when you install Joomla for the first time. So is a fairly unique identifier of a Joomla site.So now in the global config option, one can select from 3 different ways of generating Session IDs
Change in when Sessions are createdThe other change is that instead of immediately creating a session in the mos_session table when a person visits your site. A cookie is sent to the visitor and on the second request to your site, the system checks for this cookie and if it can be found a session is then created for the site visitor.
This should mean that search engine spiders (which cant accept cookies) will not get assigned a session value. This is because if a site is well spidered in the pre 1.0.8 system its conceivable that a spider will create a new session entry (in mos_session) for every page it visits on your site - which can lead to a huge number of sessions being created. As an example this fix is now used on www.joomla.org and in 1.0.7 it was reporting +9000 sessions consistently - with this fix, it now shows a more reasonable +150 count. This should also mean there is less chance of the session table becoming corrupted - which has been reported as occuring at times.The drawback is that it takes 2 page requests to your site for a visitor to start being tracked - which means that your who's online count will be slightly undervalued. Note: this change will not affect general statistics tracking
ThanksI'd like to thank Steve Graham in helping so succintly to explain the issues and problems on the forums. However more impotantly he also proposed a solution. For the most part the final solution adopted is his, with suggestions and modifications by community members and Joomla! core members. Also many thanks to the community members who helped in debugging, adding suggestions and commenting on the work.