Joomla Cookies

[vand...@gmail.com]

Good afternoon,

I'm working on an integration of Joomla with a Java application.
Using database as method for session handling it would be pretty simple to share any needed data between these platforms.

The point is:
I need to get the default Joomla cookie by name in order to know the user whose session ID the Java app shall handle before querying it from jos_session table. I don't know which algorithm Joomla uses to define cookies names.

This is how I solved this in Wordpress:
I've build a function that sets the session ID stored in the cookie also on the database as soon as the cookie is created. That was rather simple because Wordpress names cookies in a simple way: 'CONSTANT_'md5(($_SERVER['SERVER_NAME'])). So, all the Java app have to do is to retrieve that cookie.

But as I'm going to use iFrames and the Java app uses PostgreSQL as Database, Wordpress is no longer a viable option and brought me back to Joomla.

That's the question, how do I find out Joomla's cookies names and if for some reason they are created dynamically and there is no simple way of doing that, how can I force Joomla to create a custom cookie alongside with the default ones for logged and not logged users?

Thank you in advance,


Vdk.

[Yves Blatti]

Hi !

The only implementation I know in Java is easySDI (an opensource Spatial Data Infrastructure base on Joomla!), it uses a custom Spring Security Bean "JoomlaCookieAuthenticationFilter".
Look here : https://forge.easysdi.org/projects/easysdi/repository/entry/trunk/java/easysdi/proxy/src/main/java/org/easysdi/proxy/security/JoomlaCookieAuthenticationFilter.java

The code seems to look for a cookie value (not the key) matching the session_id in  #__session table. If I'm right, it doesn't about the cookie key, and loop through all of them.

Joomla cookies are salted with the system 'secret' and hashed (md5). So I suppose this looping has been done to avoid the secret sharing.
References:
\joomla\libraries\joomla\application\web.php
\joomla\libraries\joomla\session\session.php

So IMHO you can 1) Share your site secret or 2) Loop through the cookies values to find the a valid session cookie value in DB.

HIH

[vand...@gmail.com]

Hi, Yves!

Thank you very much for your reply.

I could not reproduce the cookie's name even after md5 the secret key + user id or whatever.
Another strange thing I just noticed is Joomla creates several cookies using the same name.

I deleted all Firefox cookies from my local Joomla installation and logged in.
Joomla created this cookie: 94aeaaa6629866c966cbea17b515a243.

I logged off and logged in again and Joomla created 5 more cookies with the same name but different content, which are the session's id. 4 of them are not expired.

Also, another cookie name joomla_user_state has a content "logged_in" which remains same way even after I log out.

So even though the Java app could find the proper cookie by its name, it would not know which one to "grab". I would like to avoid the idea of browsing users cookies and querying the database for a valid session id.

Maybe the best solution would be to create an a specific cookie, with a know name and the session id as a content, when joomla first cookie is created. Do you know how to do that?

Thank you again,

Vdk.

[Yves Blatti]

Oh, I think I found what you need in :

\joomla\libraries\joomla\application\web.php
\joomla\libraries\joomla\session\session.php

and
\joomla\libraries\cms\application\cms.php

My cookie for my front end user can be found using :
$yourCookienameForFrontEnd = md5(md5('the_$secret_in_your_configuration.php' . 'site'));

The values is hashed twice: once in the 'session_name' created in Application (site or admin) and once in the session handler (all names are hashed).

So, this confirms, that if you want to grab the right cookies by the java app, you have to share the secret.

Hope it helps

Yves

Le jeudi 17 novembre 2016 02:39:19 UTC+1, vand...@gmail.com a écrit :

[vand...@gmail.com]

Hello, Yves. Thanks again for your support.

I don't know if I am doing something wrong but I can't get the cookie name even following your guide.
I blanked the secret in configuration.php to make things easier and tried to generate the cookie name.

This is the cookie name got from $_COOKIE:

81f30cf708470b974874c8a96a6bcdb2

This is what I get from 
$cookieName = md5(md5('Testing'));
(Testing is the site's name)

009f985f284380ecd25281f58a9e3455

I noticed cookie name does not change even if I rename the site, so I tried the URL 
working on a local machine using Apache's VHosts.
$cookieName = md5(md5('http://joomla'));
(this is how we access Joomla from local network)

and this is the what I get:
ec7a30e5bbdd3e2388adbb8a10d49959

I can't figure out what is wrong. The Joomla version is 3.6.

Thank you again.

Vdk.

[Yves Blatti]

Hi again,

Sorry, I not have been clear: the cookie name is the double hashed value of the concatenation of the '$secret' variable in your configuration.php file (at the root of your joomla install, example here : https://github.com/openshift/joomla-example/blob/master/php/configuration.php) and the string "site" if you want the front end cookie (there is a different cookie if logged in administrator).

For example :

$cookieName = md5(md5('UnX75NMoFOpLpSn6' . 'site'));

Give it a try

Le jeudi 17 novembre 2016 02:39:19 UTC+1, vand...@gmail.com a écrit :

[vand...@gmail.com]

Hello, Yves. You were clear, at first.

I apologize because I wasn't.

I cleared the secret string on my configuration.php file, it looks like that now:
public $secret = '';

So there is nothing to be concatenated from there once that's empty. The point is the string 'site'. I don't know what it means. Already tried site's name and site's url, but did not work. Even before I clear $secret I could not match the hashes.

Thank you again.

Vdk.

[vand...@gmail.com]

Oh! I just got it!
'site' is a constant.

Thank you very much! Really appreciated!

You solved my problem!

Vdk.