Avoid setting an explicit session ID via GET args.

coling · coling · commit 7b7f68d87373 · 2024-05-09T16:28:53.000+01:00
This is considered a failing metric in automated PCI scans under the
"session hijacking" category and thus should be avoided.

PHP 4.3 introduced the "session.use_only_cookies" PHP configuration
option which meant that passing in a session ID via GET/POST variables
can be disabled. The code in Joomla should at very least honour this
setting.

Alternatively, if no good reason for this code exists, it should be
removed entirely.
diff --git a/libraries/src/Session/Storage/JoomlaStorage.php b/libraries/src/Session/Storage/JoomlaStorage.php
@@ -283,7 +283,7 @@ public function start(): void
         // Get the cookie object
         $cookie = $this->input->cookie;
 
-        if (\is_null($cookie->get($session_name))) {
+        if (empty(\ini_get('session.use_only_cookies')) && \is_null($cookie->get($session_name))) {
             $session_clean = $this->input->getString($session_name);
 
             if ($session_clean) {
