Avoid setting an explicit session ID via GET args. (joomla#43451)

This is considered a failing metric in automated PCI scans under the
"session hijacking" category and thus should be avoided.

PHP 4.3 introduced the "session.use_only_cookies" PHP configuration
option which meant that passing in a session ID via GET/POST variables
can be disabled. The code in Joomla should at very least honour this
setting.

Alternatively, if no good reason for this code exists, it should be
removed entirely.

Co-authored-by: Hannes Papenberg <[email protected]>
Co-authored-by: Richard Fath <[email protected]>
Co-authored-by: Allon Moritz <[email protected]>

Author: 4 people

libraries/src/Session/Storage/JoomlaStorage.php

@@ -301,7 +301,7 @@ public function start(): void
         // Get the cookie object
         $cookie = $this->input->cookie;
 
-        if (\is_null($cookie->get($session_name))) {
+        if (empty(\ini_get('session.use_only_cookies')) && \is_null($cookie->get($session_name))) {
             $session_clean = $this->input->getString($session_name);
 
             if ($session_clean) {