Backward Compatibility in Joomla 3.4.7
From Joomla! Documentation
What has changed?[edit]
Starting from version 3.4.7 Joomla uses a base64-encoded data container to save session data in favor of saving the data in plaintext in the global $_SESSION.
Basically, Joomla switched from
function set($key, $value, $namespace)
{
$_SESSION[$namespace][$key] = $value;
}
to
function set($key, $value, $namespace)
{
$this->data->set($namespace . ‘.’ . $key, $value);
$_SESSION[‘joomla’] = base64_encode(serialize($this->data));
}
Why has this been changed?[edit]
This was required to work around a critical PHP bug fixed in September 2015. The bug creates several attack vectors connected to plaintext, user-supplied data saved in a session.
Will my extensions continue to work?[edit]
We have 3 scenarios here:
Scenario 1 - You’re already using JSession: In this case you’re perfectly safe because the API of JSession hasn’t been changed. The session encoding has been implemented transparently, so no changes to your code are required.
Scenario 2 - You’re using $_SESSION to read or write your own, extension-specific data: In this case your extension will continue to work. The new code doesn’t touch any other data in the global $_SESSION variable.
Scenario 3 - You’re using $_SESSION to read or write general data shared with Joomla or other extensions: In this case your extension will break because the internal structure of $_SESSION has been changed. An easy fix is to use JSession to replace direct usages of $_SESSION.