https://bugzilla.wikimedia.org/show_bug.cgi?id=32000
Juliano F. Ravasi <b...@juliano.info> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|Unprioritized |Normal
Severity|normal |minor
--- Comment #1 from Juliano F. Ravasi <b...@juliano.info> 2011-11-06 20:02:16
UTC ---
Hello Vitaliy,
Your patch is already in my patch queue, but before submitting, I would like to
understand better in which situations this bug trigger, since I can't reproduce
it here.
To get an edit token in the comment form to submit a comment, the user needs to
have a session with MediaWiki. This session is either anonymous, or it is a
user login session created at login time. This session either ends with the
browser session, or after 30 days.
In theory, the user shouldn't have a session failure under normal
circumstances. If he got an edit token from the comment form, that edit token
should be valid along with his session until he closes the browser.
I want to be careful applying code that touches the session handling code due
to the danger of creating a [[w:Cross-site scripting]] vulnerability. But at
first glance your patch seems good.
Could you provide some more detailed steps on how to reproduce this problem
with the current version of MediaWiki?
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
