Joomla 1.5 quirk in [20151206] – Core – Session Hardening patch

The Joomla 1.5 (EOL) patch to the session.php file has a quirk in it that raises a warning notice. The advisory is

[20151206] – Core – Session Hardening

but if you blindly copy that file to your system then you will end up with a web site that raises many error messages,

Notice: Only variable references should be returned by reference in /libraries/joomla/session/session.php on line 343

I thought there would be a fix for this but when I googled for that message I found thousands of hits to broken Joomla web sites. Yes, hundreds of web sites are busted in that they have lots of error messages ! The fix I have done is easy, edit the NEW session.php file you have downloaded and edit this as follows to pass a variable back,

 @@ -339,8 +339,13 @@
 $error = null;
 return $error;
 - return $this->data->getValue($namespace . '.' . $name, $default);
 +// removed this next line as it generates a Notice: Only variable references should be returned by reference error
 +// return $this->data->getValue($namespace . '.' . $name, $default);
 +// and define a variable with the data to be returned....
 + $getnamespacenamedata = $this->data->getValue($namespace . '.' . $name, $default);
 + return $getnamespacenamedata;


If you don’t know what to do with this change to get rid of that error message then you are going to have to find someone who has some PHP/Joomla experience to edit the files for you.

Changing Joomla! MySQL user password without outages.

Changing your Joomla! MySQL database password without a loss of service is done as follows,

1) Open  the existing configuration.php file for Joomla! (found in your web site root) and print or save the details. This gives you a backup copy.

2) Use your cpanel (generally cpanel but there may be other hosting backends to access the MySQL database users) and add a new database user with a suitably strong password. Take care here and observe the cpanel error messages. Unless the password is strong enough it won’t save the values.

3) Assign this new MySQL database user to your existing Joomla database with all privileges.  Thus it is running in parallel with the existing MySQL database user.

4) Now edit the configuration.php file for Joomla! (found in your web site root) and change the two entries,

$db =
$password =

to these new MySQL database user values and then save that file back to the server. Joomla! will now be using this new database user.

5) Then you must verify this is true by going into the administration for Joomla and looking under Site -> Global Configuration ->Server and seeing that the database settings username is the new username.

6) If so then use cpanel to delete the old MySQL username or at  the very least change the password to something new.

Why do it this way – why not just change the MySQL database password ?  Because of timing, you cannot change the MySQL database password and the configuration.php file instantaneously. By adding a new database user that is waiting to be used and then changing Joomla configuration there is no loss of service and you can easily verify that it is working on the new setting by checking the Joomla administration screens.

A third party ideally should not know your MySQL passwords or be able to access your MySQL databases remotely but on shared hosting where there is just one MySQL engine running then any account on that machine can access your databases if they knew the database and username and password details.