On Tue, Oct 11, 2011 at 10:17 AM, Dan Nessett <[email protected]> wrote:
> Thanks for your reply and for the clarification about sessions not > associating with IP addresses. However, it seems unlikely that session > expiration is the problem. > > Our wikis require login before users can do anything other than view > pages. However, when the situation I described previously occurs, the > user is able to edit pages and do anything else his permissions allow > when logged in. The problem appears to have something to do with the way > IP addresses are mapped to user names by the logging logic. That is, the > session is still active, but when entries are made in the logs, the > username is replaced either by the IP address of the request or by the > generic identifier "anonymous" (different behavior on different wikis - > probably a configuration issue, which I am investigating). > Ok, my suspicion is on <https://bugzilla.wikimedia.org/show_bug.cgi?id=28639>, fixed in the 1.16.5 security release in May: < http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html > It looks like there may be some cases where session expiration (or similar issues) might have left things in a state where the previous user's permissions got kept but the other info got thrown away. This would presumably allow edits etc to finish up, while recording them as not a user id. -- brion _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
