Problems in Joomla after upgrading to PHP 5.2.5

After having upgraded a web server to the latest version of the awesome PHP module for Apache, I ran into a snag with Joomla. At the time, I had just upgraded a few sites to Joomla 1.0.13 so it was hard to immediately find someone to blame 🙂

What happened was that I could no longer login as to the Joomla backend (admin, whatever, nothing worked). I kept being re-directed to the login page again. Entering an incorrect password on purpose would yield the correct message (i.e. “Incorrect username/password” bla bla). After digging around for many hours, and reading Joomla code, I saw that Joomla utilizes the session_name () PHP function call. This doesn’t sound too strange, until I checked the PHP 5.2.5 changelog, which states:

Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set())

Knowing that I usually configure a unique session name for every site by using

php_admin_value session.name=”MyUniqueSessionName”

in my Apache .conf-file, I was thinking that although ini_set() wasn’t used in the Joomla code I was looking at, I guess you would want to protect yourself against applications overriding the session.name PHP admin value; and Joomla makes use of the session_name() function to do just that.

Removing the use of the above configuration directive from my Apache .conf-file, and restarting Apache, the problem went away.

The bug is reported in the JoomlaCode tracker at:
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=8271.

I intend to add this explanation to that tracker item as soon as I’m allowed to 🙂

To sum things up: This is not a bug in Joomla 1.0.x nor in PHP 5.2.5 per se, it’s a case of security catching up with you (if you’re as anal about it as I’ve been with my PHP/Apache configuration).