Support

What you are interested in cannot be protected against at the web application firewall level. The mode of attack is similar to this: you are accessing your site's administrator over plain HTTP (unencrypted) through an untrusted network or computer such as a public WiFi or a library computer. An attacker on the same network can sniff the unencrypted traffic and copy your cookies. Then, using the same network, they can pose as you on your website. There is nothing to do at the web application (Joomla!) level since the only thing it ever sees to authenticate you is a cookie. That's how it's supposed to work. Joomla! already ties your cookie to characteristics of the network and browser you use to access your site BUT an attacker on the SAME network who can sniff your traffic can impersonate all that information.

There is exactly one and only one way to protect your site against cookie theft: use HTTPS and do NOT log in to your site through somebody else's computer. Never, ever!

That's what you can do. Public WiFi network operators can do something to protect you: enable the wireless client isolation feature of their access points. This prevents traffic sniffing over WiFi. However this doesn't protect you against Ethernet (wired connection) traffic sniffing or WiFi network impersonation attacks. Especially the latter is really sneaky. An attacker can use a concealed monitoring device which makes your computer believe it's its preferred WiFi network and have it pass all the traffic through the monitoring device (man in the middle attack). The only way to successfully mitigate this class of attacks is using HTTPS with a commercial certificate and a server that support TLS.

In so many words, the only defense you have against someone stealing parts of your network traffic is encryption. Use HTTPS on your site. That's the one and only way.

Session hijacking IS NOT necessarily the same as cookie stealing. Nobody can claim they can protect you from cookie stealing unless they are lying to you. Session hijacking can also be performed through session fixation, cross site scripting and clickjacking. The former two are dealt by in the Joomla! core, the latter can be protected against through Admin Tools' .htaccess Maker. Moreover what they call "session protection" is the same as our SessionShield which only really applies to Jooma! 3.4.5 and earlier. Later versions include the security fix we submitted to Joomla! in the week between December 17th and 24th, 2015.

Regarding SSL certificates, self-signed certificates are not a good idea for public sites. If you have sites where the cost of a commercial SSL certificate is prohibitive you can issue one for free through Let's Encrypt. Recent versions of cPanel do offer an integration with it.

The signing certificate authority does not matter as far as performance goes. On top of that, if you have a decent server, i.e. a server that's been updated in the last 7 years, the performance drop is less than 3%. For a typical Joomla! site that translates to under 50 msec or 0.05 seconds – well below the standard deviation in load times. If you are experiencing a significant performance hit it's time to look for a different hosting company. Neither our business site (on HTTPS since 2010) or my blog site (on HTTPS since two weeks ago) had any measurable performance impact from the switch to HTTPS. Do note that I use two good quality hosts, SiteGround and Rochen.