Summary: User.php : make $_SESSION parameters wiki-database
                    specific ("per-wiki"). Cookies are already.
           Product: MediaWiki
           Version: 1.16.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: Normal
         Component: User login

Created attachment 8122
diff of my patch against BRANCH 1.16.2 User.php r64678

I found the following bug in User.php which is _only_ apparent when running a
plurality of wikis on the same server and when users come to the different
wikis during the same session.

(Fortunately, the current software fails safely and logs out the user, because
the token will finally not match when users switch from one to another wiki in
the same session. The patch presents a clean solution that also session
parameters are saved per-wiki, which is currently not the case.)

When users access two wikis like http://server/wiki1 and http://server/wiki2 in
the same session, the user credentials are taken with first priority from the
session (see User.php loadFromSession).

Unlike the cookies names which already reflect the wiki database names in their
cookie names like 'wiki1userID', the session currently only uses a
database-INDEPENDT name 'wsUserID' etc. like $_SESSION['wsUserID'].

I developed a patch to make the session variables conform to the cookie names
and wish to have this or a similar change submitted to the current TRUNK.

The attached patch is for BRANCH 1.16.2. Basically, I added $wgCookiePrefix to
_all_ Session variables.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

Wikibugs-l mailing list

Reply via email to