MokoConsulting/MokoSuiteClient
0
0
Fork 0
Code Issues 73 Pull Requests 1 Releases 1 Wiki Activity

fix: move trusted IP session bypass to boot() for early execution
Joomla: Repo Health / Access control (push) Has been cancelled
Details
Universal: Auto Version Bump / Version Bump (push) Has been cancelled
Details
Update Server / Update updates.xml (push) Has been cancelled
Details
Joomla: Repo Health / Release configuration (push) Has been cancelled
Details
Joomla: Repo Health / Scripts governance (push) Has been cancelled
Details
Joomla: Repo Health / Repository health (push) Has been cancelled
Details

Browse Source 
Joomla validates sessions during initialise(), before onAfterInitialise
fires. The previous ini_set approach ran too late — the session was
already expired. Now implements BootableExtensionInterface so the
session lifetime is extended before Joomla's session handler runs.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Jonathan Miller
2026-05-26 18:40:31 -05:00
parent d9ce74cf38
commit 9f1848d218
2 changed files with 41 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+3
View File
@@ -37,6 +37,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Each entry has a label and enabled toggle for easy management
- Current IP display above trusted IPs table so admins can easily add their own IP
### Fixed
- Trusted IP session bypass: moved from `onAfterInitialise` to `boot()` so Joomla's session lifetime is extended before the session handler validates it (was too late, Joomla expired the session first)
## [02.06.00] - 2026-05-25
### Added
src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+38 -5
View File
@@ -31,6 +31,7 @@ namespace Moko\Plugin\System\MokoWaaS\Extension;
defined('_JEXEC') or die;
use Joomla\CMS\Extension\BootableExtensionInterface;
use Joomla\CMS\Factory;
use Joomla\CMS\Log\Log;
use Joomla\CMS\Plugin\CMSPlugin;
@@ -38,6 +39,7 @@ use Joomla\CMS\Router\Route;
use Joomla\CMS\Language\Language;
use Joomla\CMS\Uri\Uri;
use Joomla\CMS\User\UserHelper;
use Psr\Container\ContainerInterface;
/**
* MokoWaaS Brand System Plugin
@@ -47,7 +49,7 @@ use Joomla\CMS\User\UserHelper;
*
* @since 01.04.00
*/
class MokoWaaS extends CMSPlugin
class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
{
/**
* Obfuscated Grafana URL (XOR + base64).
@@ -114,6 +116,37 @@ class MokoWaaS extends CMSPlugin
*/
protected $app;
/**
* Boot the extension — runs BEFORE Joomla creates the session.
*
* Extends the Joomla session lifetime for trusted IPs so the
* session handler does not destroy the session before
* onAfterInitialise can run.
*
* @param ContainerInterface $container The DI container.
*
* @return void
*
* @since 02.11.00
*/
public function boot(ContainerInterface $container): void
{
$timeout = (int) $this->params->get('admin_session_timeout', 0);
if ($timeout <= 0)
{
return;
}
if ($this->ipIsTrusted())
{
// Set both PHP and Joomla session lifetimes before the
// session handler runs its expiry check.
ini_set('session.gc_maxlifetime', 315360000);
Factory::getConfig()->set('lifetime', 525600);
}
}
/**
* Event triggered after the framework has loaded and the application initialise method has been called.
*
@@ -3343,11 +3376,9 @@ class MokoWaaS extends CMSPlugin
return;
}
// Don't timeout trusted IPs — extend their session instead
// Trusted IPs — session lifetime already extended in boot()
if ($this->ipIsTrusted())
{
ini_set('session.gc_maxlifetime', 315360000);
return;
}
@@ -3398,7 +3429,9 @@ class MokoWaaS extends CMSPlugin
return false;
}
$ip = $this->app->input->server->getString('REMOTE_ADDR', '');
$ip = $this->app
? $this->app->input->server->getString('REMOTE_ADDR', '')
: ($_SERVER['REMOTE_ADDR'] ?? '');
$ipLong = ip2long($ip);
if ($ipLong === false)