On Mon, 31 Oct 2011 23:57:59 +0100, Platonides wrote: > Confirmed in trunk. > > I detail what I think is happening: > >> + Access the wiki and login (DO NOT CHECK THE "REMEMBER ME" BOX). Move >> to a wiki page that you can edit. A new session file is created and it >> will look something like (assuming you logged on as the WikiSysop >> user): >> >> wsUserID|i:1;wsToken| s:32:"0ff5b9ecf52077fb05cc74731f13ba2b";wsUserName| >> s:9:"WikiSysop";wsLoginToken|N; > > You get a normal session. > >> + Wait 60 seconds or more. > > The session expires. > > >> Edit the page by clicking on the edit tab. > > This step is interesting, since the session is expired but you are > treated as logged in. Maybe php is accepting the session, and then > deleting it right away. > > >> Make a change and save the >> page. You will see the message "Sorry! We could not process your edit >> due to a loss of session data. Please try again. If it still does not >> work, try logging out and logging back in." > > This is normal since you are trying to send a logged-in page as > anonymous (token mismatch => that message). > >> The session file will contain: >> >> wsUserID|i:1;wsUserName|s:9:"WikiSysop"; > > Seems the wiki created a new session with the same name. Or perhaps it > renewed only those two fields. > >> Save the page again. This time it will work. The session data will not >> change. Now look at Recent Changes. The edit will show the successful >> edit assigned to an IP address not to the user. > > You were now an IP, so it is normal that it produces the log as IP. > >> If this result is reproducible, it indicates three problems. > >> First, an >> edit is allowed even though the session has expired. > As far as you allow anoynmous editing, this is not a bug. There's no way > to differenciate that. Unless we check that if there's an unknown > session in a cookie to show a big warning and not allow him to send > anything. > >> Second, the edit is >> assigned to an IP address (which, actually, is a direct result of the >> first problem). > > As far as you pressed 'Save' when the header showed you as a IP, this is > normal behavior. > >> Finally, I can continue to edit pages even though I am shown as logged >> out (the "log in/create account" message is shown at the top of the >> page). > > As far as you allow anoynmous editing, this is normal behavior. > > > I disagree on where are the bugs, but you are right that there's > somehting strange going on with the session.
I should have mentioned that our wikis are set up so anonymous users can only read pages. You must be logged in to edit pages. However, when I set up the development wiki for the above test, I failed to set up permissions in that way. I will do so and get back to this thread with the results. I have filed a bug - https://bugzilla.wikimedia.org/show_bug.cgi?id=32122 -- -- Dan Nessett _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
