https://bugzilla.wikimedia.org/show_bug.cgi?id=32122
Web browser: ---
Bug #: 32122
Summary: PHP session data timeout problem
Product: MediaWiki
Version: 1.16.5
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: User login
AssignedTo: wikibugs-l@lists.wikimedia.org
ReportedBy: dness...@yahoo.com
Classification: Unclassified
There is a problem with the utilization of PHP sessions. The data of a timed
out PHP session survives and allows logged out users to edit data even when a
wiki is setup to only allow logged in users to edit pages. The bug is
reproducible in the following way.
+ First, permissions must be set so that anonymous users can only read pages,
while logged in users can perform the normal non-sysadmin functions.
On a development machine (NOT a production machine):
+ Log out of the wiki, if you are currently logged in (or have checked the
"remember me" box).
+ Make the following changes to php.ini:
- session.gc_probability = 100
- session.gc_divisor = 100
- session.gc_maxlifetime = 60
- session.save_path = <some directory writable by httpd>
+ Restart httpd
+ Delete all sessions in the session directory (i.e., session.save_path).
This isn't strictly necessary, but it makes it easier to see how the
session data are manipulated.
+ Access the wiki and login (DO NOT CHECK THE "REMEMBER ME" BOX). Move to
a wiki page that you can edit. A new session file is created and it will
look something like (assuming you logged on as the WikiSysop user):
wsUserID|i:1;wsToken|s:32:"0ff5b9ecf52077fb05cc74731f13ba2b";wsUserName|
s:9:"WikiSysop";wsLoginToken|N;
+ Wait 60 seconds or more.
Edit the page by clicking on the edit tab. Make a change and save the
page. You will see the message "Sorry! We could not process your edit due
to a loss of session data. Please try again. If it still does not work,
try logging out and logging back in." The session file will contain:
wsUserID|i:1;wsUserName|s:9:"WikiSysop";
Save the page again. This time it will work. The session data will not
change. Now look at Recent Changes. The edit will show the successful edit
assigned to an IP address not to the user.
This indicates three problems. First, an edit is allowed even though the
session has expired. Second, the edit is assigned to an IP address (which,
actually, is a direct result of the first problem). Finally, you can continue
to edit pages even though you are shown as logged out (the "log in/create
account" message is shown at the top of the page).
This bug is discussed in the Mediawiki-l thread "MW seems to get confused when
IP address of client machine changes while user is logged in" started on
October 10, 11:16 a.m.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
