[Bug 32363] New: Login sometimes causes unexpected "Login Error" message

Fri, 11 Nov 2011 10:42:15 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=32363

       Web browser: ---
             Bug #: 32363
           Summary: Login sometimes causes unexpected "Login Error"
                    message
           Product: MediaWiki
           Version: 1.16.5
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: User login
        AssignedTo: [email protected]
        ReportedBy: [email protected]
    Classification: Unclassified


This bug was discovered while working on bug 32122
(https://bugzilla.wikimedia.org/show_bug.cgi?id=32122). In order to reproduce
it reliably, a developer must make the following changes to php.ini (this
should *not* be done on a production machine, since the settings force the PHP
garbage collector to run on every page access).

- session.gc_probability = 100
- session.gc_divisor     = 100
- session.gc_maxlifetime = 60
- session.save_path = <some directory writable by httpd>

After making these changes restart httpd. Then execute the following:

Login

Immediately log out

Wait more than 60 seconds. Do not change the page, stay on the "Log out" page
which states: "You are now logged out. You can continue to use MW_1_16_5
anonymously ..."

Login

The error:

"Login error
 There seems to be a problem with your login session; this action has been
canceled as a precaution against session hijacking. Go back to the previous
page, reload that page and then try again."

is displayed.

This bug appears to arise due to session management logic in MW in tandem with
PHP session garbage collection. One commenter on bug 32122 suggests this is
expected behavior. However, from a user's point of view that is highly
unlikely.

One possible solution is to destroy the session on logout. There is a PHP
function, session_destroy that destroys session data, but it isn't clear
whether that function actually deletes the session file. Also, it isn't clear
how to delete sessions held by memcached.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to