https://bugzilla.wikimedia.org/show_bug.cgi?id=32122
Web browser: --- Bug #: 32122 Summary: PHP session data timeout problem Product: MediaWiki Version: 1.16.5 Platform: All OS/Version: All Status: NEW Severity: normal Priority: Unprioritized Component: User login AssignedTo: wikibugs-l@lists.wikimedia.org ReportedBy: dness...@yahoo.com Classification: Unclassified There is a problem with the utilization of PHP sessions. The data of a timed out PHP session survives and allows logged out users to edit data even when a wiki is setup to only allow logged in users to edit pages. The bug is reproducible in the following way. + First, permissions must be set so that anonymous users can only read pages, while logged in users can perform the normal non-sysadmin functions. On a development machine (NOT a production machine): + Log out of the wiki, if you are currently logged in (or have checked the "remember me" box). + Make the following changes to php.ini: - session.gc_probability = 100 - session.gc_divisor = 100 - session.gc_maxlifetime = 60 - session.save_path = <some directory writable by httpd> + Restart httpd + Delete all sessions in the session directory (i.e., session.save_path). This isn't strictly necessary, but it makes it easier to see how the session data are manipulated. + Access the wiki and login (DO NOT CHECK THE "REMEMBER ME" BOX). Move to a wiki page that you can edit. A new session file is created and it will look something like (assuming you logged on as the WikiSysop user): wsUserID|i:1;wsToken|s:32:"0ff5b9ecf52077fb05cc74731f13ba2b";wsUserName| s:9:"WikiSysop";wsLoginToken|N; + Wait 60 seconds or more. Edit the page by clicking on the edit tab. Make a change and save the page. You will see the message "Sorry! We could not process your edit due to a loss of session data. Please try again. If it still does not work, try logging out and logging back in." The session file will contain: wsUserID|i:1;wsUserName|s:9:"WikiSysop"; Save the page again. This time it will work. The session data will not change. Now look at Recent Changes. The edit will show the successful edit assigned to an IP address not to the user. This indicates three problems. First, an edit is allowed even though the session has expired. Second, the edit is assigned to an IP address (which, actually, is a direct result of the first problem). Finally, you can continue to edit pages even though you are shown as logged out (the "log in/create account" message is shown at the top of the page). This bug is discussed in the Mediawiki-l thread "MW seems to get confused when IP address of client machine changes while user is logged in" started on October 10, 11:16 a.m. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l