On Tue, 11 Oct 2011 17:17:04 +0000, Dan Nessett wrote: > On Mon, 10 Oct 2011 12:44:57 -0700, Brion Vibber wrote: > >> On Mon, Oct 10, 2011 at 11:16 AM, Dan Nessett <[email protected]> >> wrote: >> >>> We have been experiencing problems with MW 1.16.2 related to logged in >>> users on client machines where the IP address changes. I have looked >>> over the Bugzilla reports but could not find anything obviously >>> related. >>> >>> If a user with a laptop logs into the wiki, puts the laptop to sleep, >>> moves to a different location and then attempts to continue >>> processing, the logs show his changes mapped to an IP address (or on >>> one of our wikis as anonymous), rather than his user name. A simple >>> thought experiment suggests the cookie presented to the wiki after the >>> laptop move has a different IP address than the request message. This >>> confuses MW, giving the user all his permissions (since he is logged >>> in), but not properly identifying the user's name in the logs. >>> >>> >> Session cookies are not tied to IP addresses. Most likely, the session >> has simply expired -- it won't make a difference whether you come back >> on a different IP or the same one, expired session data will kill your >> login. >> >> Note that in the case of session expiration, the caching workaround >> that we perform on logout (setting a 'logged out at time X' cookie) >> doesn't work, so you may initially see a couple page views that still >> look like you're logged in. You should not see this confusion on the >> actual edit page itself -- this won't be cached so should show you that >> you are not logged out. >> >> Consider increasing PHP's session lifetime: >> http://us2.php.net/manual/en/session.configuration.php#ini.session.gc- > maxlifetime >> >> the default is 1440 seconds (24 minutes), meaning that a session which >> doesn't get touched for 24 minutes may get destroyed during garbage >> collection. >> >> >> It's also possible that there's something else in your system which >> introduces an IP-address dependency for sessions, such as the session >> encryption option in the suhosin plugin with some unsafe configuration >> options used: >> >> http://www.hardened-php.net/suhosin/ > configuration.html#suhosin.session.checkraddr >> >> -- brion > > Thanks for your reply and for the clarification about sessions not > associating with IP addresses. However, it seems unlikely that session > expiration is the problem. > > Our wikis require login before users can do anything other than view > pages. However, when the situation I described previously occurs, the > user is able to edit pages and do anything else his permissions allow > when logged in. The problem appears to have something to do with the way > IP addresses are mapped to user names by the logging logic. That is, the > session is still active, but when entries are made in the logs, the > username is replaced either by the IP address of the request or by the > generic identifier "anonymous" (different behavior on different wikis - > probably a configuration issue, which I am investigating).
I need to clarify one thing. For a revision deletion/restore, the identifier "Anonymous" appears in the deletion log, not in Recent Changes, which has the IP address of the request). Recent changes always records the IP address. -- -- Dan Nessett _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
