https://bugzilla.wikimedia.org/show_bug.cgi?id=32122
--- Comment #2 from Dan Nessett <[email protected]> 2011-11-01 18:41:49 UTC --- I am updating this bug, since originally I ran the procedure against a wiki with permissions that allowed anonymous edits. When I ran it against one that limited anonymous users to only read pages and gave logged in users normal non-sysop privileges, the problem didn't occur. I should mention that the motivation for this line of investigation arose from an intermittent problem on our wikis (which run 1.16.2). Occasionally edit records in Recent Changes would show up with the IP address of the user making the edit. This should never happen on our wikis since, as stated previously, only logged in users should have page edit privileges. So, while I still believe there is a problem with PHP sessions, I cannot yet reproduce the intermittent problem we observe. However, other improper behavior is reproducible. For example on both MW 1.16.2 and MW 1.16.5 if you execute the procedure specified earlier in this thread up to the point where an edit is attempted (i.e., log in and wait 60 seconds). Then instead of editing, simply refresh the page, the line at the top of the page still shows the user logged in. However, the session record changes from (before the 60 second timeout): wsUserID|i:1;wsToken|s:32:"0ff5b9ecf52077fb05cc74731f13ba2b";wsUserName|s:9:"WikiSysop";wsLoginToken|N; to (after the page refresh): wsUserID|i:1;wsUserName|s:9:"WikiSysop"; It isn't clear why the session file remains after the page refresh, since it should have been cleared by the PHP garbage collector. Furthermore, it isn't clear why the session record contains a wsUserName value of WikiSysop. Since the user is logged out (although this isn't indicated on the browser page), the session record should show an anonymous user. If you refresh the page again, the logged in/out line is properly displayed as logged out, but the session record has not changed. That is, it still equals: wsUserID|i:1;wsUserName|s:9:"WikiSysop"; Finally, sometimes when logging in after refreshing the page twice, the following error message is displayed: "Login error There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again." The session data at this point reads: wsUserID|i:1;wsUserName|s:9:"WikiSysop";wsLoginToken|s:32:"3bc03a309dd80ff94633dc6b43218309"; This appears to improperly associate the username WikiSysop with an anonymous login token. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
