https://bugzilla.wikimedia.org/show_bug.cgi?id=19158
Web browser: ---
Summary: CentralAuth only looks for Session-Cookie?
Product: MediaWiki extensions
Version: any
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: Normal
Component: CentralAuth
AssignedTo: [email protected]
ReportedBy: [email protected]
Hi,
at de.wikipedia someone who seems reliable (8k edits) claims, that he was
identified as a wrong user - he could do everything from this user (he posted a
screenshot from the Settings (see
http://de.wikipedia.org/wiki/Datei:Alasto2.png).
His username is Marsupilami, the occupied username is Alasto2.
His cookies are correct (see
http://de.wikipedia.org/w/index.php?title=Wikipedia:Fragen_zur_Wikipedia&oldid=61039969#Wieso_bin_ich_nicht_mehr_ich.3F
at the bottom).
After having a quick look at CentralAuthUser.php it seems to me, that
getSession() only looks after the MD5 hash in the Session cookie. So maybe it's
unlikly, that two people have the same hash, but I think it would be better to
also check the "centralauth_User" cookie. I'm not sure, if I see the code
correctly, but there is the problem, that one user can see/do everything for
another user.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
