J3.x

Backward Compatibility in Joomla 3.4.7

From Joomla! Documentation

Other languages:
Deutsch • ‎English • ‎Nederlands • ‎español • ‎français

What has changed?[edit]

Starting from version 3.4.7 Joomla uses a base64-encoded data container to save session data in favor of saving the data in plaintext in the global $_SESSION.

Basically, Joomla switched from

function set($key, $value, $namespace)
{
  $_SESSION[$namespace][$key] = $value;
}

to

function set($key, $value, $namespace)
{
  $this->data->set($namespace . ‘.’ . $key, $value); 
  $_SESSION[‘joomla’] = base64_encode(serialize($this->data));
}

Why has this been changed?[edit]

This was required to work around a critical PHP bug fixed in September 2015. The bug creates several attack vectors connected to plaintext, user-supplied data saved in a session.

Will my extensions continue to work?[edit]

We have 3 scenarios here:

Scenario 1 - You’re already using JSession: In this case you’re perfectly safe because the API of JSession hasn’t been changed. The session encoding has been implemented transparently, so no changes to your code are required.

Scenario 2 - You’re using $_SESSION to read or write your own, extension-specific data: In this case your extension will continue to work. The new code doesn’t touch any other data in the global $_SESSION variable.

Scenario 3 - You’re using $_SESSION to read or write general data shared with Joomla or other extensions: In this case your extension will break because the internal structure of $_SESSION has been changed. An easy fix is to use JSession to replace direct usages of $_SESSION.