How to Use a Hash in the URL to Authenticate Logins to a Joomla Website

This afternoon a new client called us and told us that he’s not able to login to the backend of his Joomla website. While we’ve seen his exact problem before (he wasn’t able to login and no error was displayed), we were not able to fix it using our standard techniques. So we spent literally over 10 hours trying to fix the problem but to no avail. We knew it had something to do with the session not being saved properly, but we couldn’t figure out the cause of the problem. Eventually, our youngest team member pointed out that the client was using a literally unknown web server (we can’t for the lives of us remember its name – but it was calling itself “Apache Like”), and so we did some testing and we eventually narrowed out the problem to the web server – this unknown web server just didn’t handle sessions the same way as Apache did – something that confused Joomla.

So, just to make sure, we asked him whether his hosting company changed its server environment lately, and he immediately forwarded us an email (sent from his hosting company) explaining the move to “a better”, “more performing”, and “more reliable” web server. We read the email and we wondered why on earth would anyone use an unknown web server to serve his clients. But enough rant…

We offered our client 2 choices:

  1. Switch his server environment to an orthodox LAMP environment.
  2. Let us devise a way (that may or may not be costly) to address the problem.

Our client, who was running a mission-critical website pertaining to his industry, went with the latter option. So, we disabled Joomla’s authentication for the backend and we used a secret hash (appended to the URL) to automatically authenticate the user. Here’s what we did, in details:

Step 1 – We disabled Joomla’s authentication

Disabling Joomla’s authentication can be done in many, many ways! We prefer the following method:

  • Open the file session.php located under the libraries/joomla/session folder.
  • Comment out lines 521, 522, 524, 527, and 528. In other words, the following code:

    if (!JRequest::getVar($session_name, false, 'COOKIE'))
    	if (JRequest::getVar($session_name))
    		setcookie($session_name, '', time() - 3600);

    should change to:

    // if (!JRequest::getVar($session_name, false, 'COOKIE'))
    // {
    	if (JRequest::getVar($session_name))
    //	{
    		setcookie($session_name, '', time() - 3600);
    //	}

  • Save the file and upload it back.

Step 2 – Authenticate Using a Hash in the URL

Authenticating users using a hash in the URL means that by having something like[secret_hash] will allow you to login to the website without entering any username and password (provided, of course, the secret_hash is correct). Authenticating using a hash can be done the following way:

  • Open the file index.php located under the administrator directory.
  • Add the following code to the top of the index.php file:

    $myHash = $_GET['myhash'];
    if (empty($myHash))
    	$myHash = $_COOKIE['myhash'];
    if ($myHash != 'abcdefg1234567'){
    	die('No access');
    	 setcookie('myhash', 'abcdefg1234567');

    The above code ensures that only the URL with the right hash (which is abcdefg1234567 in our case) can gain access to the admin section. Additionally, it ensures a persistent authentication across the backend by setting and getting a cookie.

  • Save the index.php file and upload it back.

As you can see from the above, it’s a simple solution. It’s also far from ideal (yes – we admit it), but if the environment has problems with sessions, it might be the only solution.

If you’re having session issues related to the environment when logging in to your Joomla website, then fear not, your problem has a solution, and we can implement it for you. Just contact us and we’ll implement the above for you in no time and at a very affordable cost. Oh, and have we mentioned that we are the friendliest Joomla experts on this planet?

No comments yet.

Leave a comment