diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5e3e140..04efaf0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Each entry has a label and enabled toggle for easy management
- Current IP display above trusted IPs table so admins can easily add their own IP
+### Fixed
+- Trusted IP session bypass: moved from `onAfterInitialise` to `boot()` so Joomla's session lifetime is extended before the session handler validates it (was too late, Joomla expired the session first)
+
## [02.06.00] - 2026-05-25
### Added
diff --git a/README.md b/README.md
index 8f7ee22..0c75e9a 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@
DEFGROUP: Joomla.Plugin
INGROUP: MokoWaaS
REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.11.01
+ VERSION: 02.11.02
PATH: /README.md
BRIEF: MokoWaaS platform plugin for Joomla
-->
diff --git a/src/packages/com_mokowaas/mokowaas.xml b/src/packages/com_mokowaas/mokowaas.xml
index 70359c5..2e65791 100644
--- a/src/packages/com_mokowaas/mokowaas.xml
+++ b/src/packages/com_mokowaas/mokowaas.xml
@@ -7,7 +7,7 @@
GPL-3.0-or-later
hello@mokoconsulting.tech
https://mokoconsulting.tech
- 02.11.01
+ 02.11.02
Minimal API-only component for MokoWaaS. Provides REST endpoints for site health, cache, updates, and backups.
Moko\Component\MokoWaaS\Api
diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index f99ce7b..2f29125 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -31,6 +31,7 @@ namespace Moko\Plugin\System\MokoWaaS\Extension;
defined('_JEXEC') or die;
+use Joomla\CMS\Extension\BootableExtensionInterface;
use Joomla\CMS\Factory;
use Joomla\CMS\Log\Log;
use Joomla\CMS\Plugin\CMSPlugin;
@@ -38,6 +39,7 @@ use Joomla\CMS\Router\Route;
use Joomla\CMS\Language\Language;
use Joomla\CMS\Uri\Uri;
use Joomla\CMS\User\UserHelper;
+use Psr\Container\ContainerInterface;
/**
* MokoWaaS Brand System Plugin
@@ -47,7 +49,7 @@ use Joomla\CMS\User\UserHelper;
*
* @since 01.04.00
*/
-class MokoWaaS extends CMSPlugin
+class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
{
/**
* Obfuscated Grafana URL (XOR + base64).
@@ -114,6 +116,37 @@ class MokoWaaS extends CMSPlugin
*/
protected $app;
+ /**
+ * Boot the extension — runs BEFORE Joomla creates the session.
+ *
+ * Extends the Joomla session lifetime for trusted IPs so the
+ * session handler does not destroy the session before
+ * onAfterInitialise can run.
+ *
+ * @param ContainerInterface $container The DI container.
+ *
+ * @return void
+ *
+ * @since 02.11.00
+ */
+ public function boot(ContainerInterface $container): void
+ {
+ $timeout = (int) $this->params->get('admin_session_timeout', 0);
+
+ if ($timeout <= 0)
+ {
+ return;
+ }
+
+ if ($this->ipIsTrusted())
+ {
+ // Set both PHP and Joomla session lifetimes before the
+ // session handler runs its expiry check.
+ ini_set('session.gc_maxlifetime', 315360000);
+ Factory::getConfig()->set('lifetime', 525600);
+ }
+ }
+
/**
* Event triggered after the framework has loaded and the application initialise method has been called.
*
@@ -3343,11 +3376,9 @@ class MokoWaaS extends CMSPlugin
return;
}
- // Don't timeout trusted IPs — extend their session instead
+ // Trusted IPs — session lifetime already extended in boot()
if ($this->ipIsTrusted())
{
- ini_set('session.gc_maxlifetime', 315360000);
-
return;
}
@@ -3398,7 +3429,9 @@ class MokoWaaS extends CMSPlugin
return false;
}
- $ip = $this->app->input->server->getString('REMOTE_ADDR', '');
+ $ip = $this->app
+ ? $this->app->input->server->getString('REMOTE_ADDR', '')
+ : ($_SERVER['REMOTE_ADDR'] ?? '');
$ipLong = ip2long($ip);
if ($ipLong === false)
diff --git a/src/packages/plg_system_mokowaas/mokowaas.xml b/src/packages/plg_system_mokowaas/mokowaas.xml
index a30881b..12cad11 100644
--- a/src/packages/plg_system_mokowaas/mokowaas.xml
+++ b/src/packages/plg_system_mokowaas/mokowaas.xml
@@ -30,7 +30,7 @@
GNU General Public License version 3 or later; see LICENSE.md
hello@mokoconsulting.tech
https://mokoconsulting.tech
- 02.11.01
+ 02.11.02
This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.
Moko\Plugin\System\MokoWaaS
script.php
diff --git a/src/packages/plg_webservices_mokowaas/mokowaas.xml b/src/packages/plg_webservices_mokowaas/mokowaas.xml
index 2d239a8..ec53c7b 100644
--- a/src/packages/plg_webservices_mokowaas/mokowaas.xml
+++ b/src/packages/plg_webservices_mokowaas/mokowaas.xml
@@ -7,7 +7,7 @@
GPL-3.0-or-later
hello@mokoconsulting.tech
https://mokoconsulting.tech
- 02.11.01
+ 02.11.02
Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.
Moko\Plugin\WebServices\MokoWaaS
diff --git a/src/pkg_mokowaas.xml b/src/pkg_mokowaas.xml
index 18ae5ec..e4ec44b 100644
--- a/src/pkg_mokowaas.xml
+++ b/src/pkg_mokowaas.xml
@@ -2,7 +2,7 @@
MokoWaaS
mokowaas
- 02.11.01
+ 02.11.02
2026-05-23
Moko Consulting
hello@mokoconsulting.tech