https://bugzilla.wikimedia.org/show_bug.cgi?id=27309
Summary: User.php : make $_SESSION parameters wiki-database
specific ("per-wiki"). Cookies are already.
Product: MediaWiki
Version: 1.16.2
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: Normal
Component: User login
AssignedTo: wikibugs-l@lists.wikimedia.org
ReportedBy: m...@tgries.de
Created attachment 8122
--> https://bugzilla.wikimedia.org/attachment.cgi?id=8122
diff of my patch against BRANCH 1.16.2 User.php r64678
I found the following bug in User.php which is _only_ apparent when running a
plurality of wikis on the same server and when users come to the different
wikis during the same session.
(Fortunately, the current software fails safely and logs out the user, because
the token will finally not match when users switch from one to another wiki in
the same session. The patch presents a clean solution that also session
parameters are saved per-wiki, which is currently not the case.)
When users access two wikis like http://server/wiki1 and http://server/wiki2 in
the same session, the user credentials are taken with first priority from the
session (see User.php loadFromSession).
Unlike the cookies names which already reflect the wiki database names in their
cookie names like 'wiki1userID', the session currently only uses a
database-INDEPENDT name 'wsUserID' etc. like $_SESSION['wsUserID'].
I developed a patch to make the session variables conform to the cookie names
and wish to have this or a similar change submitted to the current TRUNK.
The attached patch is for BRANCH 1.16.2. Basically, I added $wgCookiePrefix to
_all_ Session variables.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
