From 0e5caf6b3fe15af348a7c690a2db69a00f3f5cc5 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 2 Jun 2026 14:58:24 -0500
Subject: [PATCH] fix: move boot() session lifetime logic from core to firewall
 plugin

Core plugin's boot() called ipIsTrusted() which was deleted in the
cleanup. The session lifetime extension for trusted IPs is now in the
firewall plugin's boot() method where ipIsTrusted() still exists.

Firewall now implements BootableExtensionInterface.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../Extension/MokoWaaS.php                    | 15 +-----------
 .../src/Extension/Firewall.php                | 23 ++++++++++++++++++-
 2 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index fcca7e3d..17240ed5 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -161,20 +161,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	 */
 	public function boot(ContainerInterface $container): void
 	{
-		$timeout = (int) $this->params->get('admin_session_timeout', 0);
-
-		if ($timeout <= 0)
-		{
-			return;
-		}
-
-		if ($this->ipIsTrusted())
-		{
-			// Set both PHP and Joomla session lifetimes before the
-			// session handler runs its expiry check.
-			ini_set('session.gc_maxlifetime', 315360000);
-			Factory::getConfig()->set('lifetime', 525600);
-		}
+		// Session lifetime for trusted IPs is now handled by the firewall plugin
 	}
 
 	/**
diff --git a/src/packages/plg_system_mokowaas_firewall/src/Extension/Firewall.php b/src/packages/plg_system_mokowaas_firewall/src/Extension/Firewall.php
index c2b096b3..b7b82181 100644
--- a/src/packages/plg_system_mokowaas_firewall/src/Extension/Firewall.php
+++ b/src/packages/plg_system_mokowaas_firewall/src/Extension/Firewall.php
@@ -10,12 +10,14 @@ namespace Moko\Plugin\System\MokoWaaSFirewall\Extension;
 
 defined('_JEXEC') or die;
 
+use Joomla\CMS\Extension\BootableExtensionInterface;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Log\Log;
 use Joomla\CMS\Plugin\CMSPlugin;
 use Joomla\CMS\Router\Route;
 use Joomla\Event\SubscriberInterface;
 use Moko\Plugin\System\MokoWaaS\Helper\MokoWaaSHelper;
+use Psr\Container\ContainerInterface;
 
 /**
  * MokoWaaS Firewall Plugin
@@ -25,10 +27,29 @@ use Moko\Plugin\System\MokoWaaS\Helper\MokoWaaSHelper;
  *
  * @since  02.32.00
  */
-class Firewall extends CMSPlugin implements SubscriberInterface
+class Firewall extends CMSPlugin implements SubscriberInterface, BootableExtensionInterface
 {
 	protected $autoloadLanguage = true;
 
+	/**
+	 * Extend session lifetime for trusted IPs before Joomla creates the session.
+	 */
+	public function boot(ContainerInterface $container): void
+	{
+		$timeout = (int) $this->params->get('admin_session_timeout', 0);
+
+		if ($timeout <= 0)
+		{
+			return;
+		}
+
+		if ($this->ipIsTrusted())
+		{
+			ini_set('session.gc_maxlifetime', 315360000);
+			Factory::getConfig()->set('lifetime', 525600);
+		}
+	}
+
 	private const BLOCKED_FILES = [
 		'htaccess.txt', 'web.config.txt', 'configuration.php-dist',
 		'README.txt', 'LICENSE.txt', 'joomla.xml', 'robots.txt.dist',