From 9f1848d218db437eb49c437c35e75c3cfc664571 Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Tue, 26 May 2026 18:40:31 -0500 Subject: [PATCH] fix: move trusted IP session bypass to boot() for early execution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Joomla validates sessions during initialise(), before onAfterInitialise fires. The previous ini_set approach ran too late — the session was already expired. Now implements BootableExtensionInterface so the session lifetime is extended before Joomla's session handler runs. Authored-by: Moko Consulting Co-Authored-By: Claude Opus 4.6 (1M context) --- CHANGELOG.md | 3 ++ .../Extension/MokoWaaS.php | 43 ++++++++++++++++--- 2 files changed, 41 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e3e1400..04efaf0a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Each entry has a label and enabled toggle for easy management - Current IP display above trusted IPs table so admins can easily add their own IP +### Fixed +- Trusted IP session bypass: moved from `onAfterInitialise` to `boot()` so Joomla's session lifetime is extended before the session handler validates it (was too late, Joomla expired the session first) + ## [02.06.00] - 2026-05-25 ### Added diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php index f99ce7bd..2f291256 100644 --- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php +++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php @@ -31,6 +31,7 @@ namespace Moko\Plugin\System\MokoWaaS\Extension; defined('_JEXEC') or die; +use Joomla\CMS\Extension\BootableExtensionInterface; use Joomla\CMS\Factory; use Joomla\CMS\Log\Log; use Joomla\CMS\Plugin\CMSPlugin; @@ -38,6 +39,7 @@ use Joomla\CMS\Router\Route; use Joomla\CMS\Language\Language; use Joomla\CMS\Uri\Uri; use Joomla\CMS\User\UserHelper; +use Psr\Container\ContainerInterface; /** * MokoWaaS Brand System Plugin @@ -47,7 +49,7 @@ use Joomla\CMS\User\UserHelper; * * @since 01.04.00 */ -class MokoWaaS extends CMSPlugin +class MokoWaaS extends CMSPlugin implements BootableExtensionInterface { /** * Obfuscated Grafana URL (XOR + base64). @@ -114,6 +116,37 @@ class MokoWaaS extends CMSPlugin */ protected $app; + /** + * Boot the extension — runs BEFORE Joomla creates the session. + * + * Extends the Joomla session lifetime for trusted IPs so the + * session handler does not destroy the session before + * onAfterInitialise can run. + * + * @param ContainerInterface $container The DI container. + * + * @return void + * + * @since 02.11.00 + */ + public function boot(ContainerInterface $container): void + { + $timeout = (int) $this->params->get('admin_session_timeout', 0); + + if ($timeout <= 0) + { + return; + } + + if ($this->ipIsTrusted()) + { + // Set both PHP and Joomla session lifetimes before the + // session handler runs its expiry check. + ini_set('session.gc_maxlifetime', 315360000); + Factory::getConfig()->set('lifetime', 525600); + } + } + /** * Event triggered after the framework has loaded and the application initialise method has been called. * @@ -3343,11 +3376,9 @@ class MokoWaaS extends CMSPlugin return; } - // Don't timeout trusted IPs — extend their session instead + // Trusted IPs — session lifetime already extended in boot() if ($this->ipIsTrusted()) { - ini_set('session.gc_maxlifetime', 315360000); - return; } @@ -3398,7 +3429,9 @@ class MokoWaaS extends CMSPlugin return false; } - $ip = $this->app->input->server->getString('REMOTE_ADDR', ''); + $ip = $this->app + ? $this->app->input->server->getString('REMOTE_ADDR', '') + : ($_SERVER['REMOTE_ADDR'] ?? ''); $ipLong = ip2long($ip); if ($ipLong === false)