After having upgraded a web server to the latest version of the awesome PHP module for Apache, I ran into a snag with Joomla. At the time, I had just upgraded a few sites to Joomla 1.0.13 so it was hard to immediately find someone to blame 🙂
What happened was that I could no longer login as to the Joomla backend (admin, whatever, nothing worked). I kept being re-directed to the login page again. Entering an incorrect password on purpose would yield the correct message (i.e. “Incorrect username/password” bla bla). After digging around for many hours, and reading Joomla code, I saw that Joomla utilizes the session_name () PHP function call. This doesn’t sound too strange, until I checked the PHP 5.2.5 changelog, which states:
Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set())
Knowing that I usually configure a unique session name for every site by using
in my Apache .conf-file, I was thinking that although ini_set() wasn’t used in the Joomla code I was looking at, I guess you would want to protect yourself against applications overriding the session.name PHP admin value; and Joomla makes use of the session_name() function to do just that.
Removing the use of the above configuration directive from my Apache .conf-file, and restarting Apache, the problem went away.
The bug is reported in the JoomlaCode tracker at:
I intend to add this explanation to that tracker item as soon as I’m allowed to 🙂
To sum things up: This is not a bug in Joomla 1.0.x nor in PHP 5.2.5 per se, it’s a case of security catching up with you (if you’re as anal about it as I’ve been with my PHP/Apache configuration).