[Mediawiki-l] MW seems to get confused when IP address of client machine changes while user is logged in

Tue Nov 1 17:38:41 UTC 2011

On Mon, 31 Oct 2011 23:57:59 +0100, Platonides wrote:

> Confirmed in trunk.
> 
> I detail what I think is happening:
> 
>> + Access the wiki and login (DO NOT CHECK THE "REMEMBER ME" BOX). Move
>> to a wiki page that you can edit. A new session file is created and it
>> will look something like (assuming you logged on as the WikiSysop
>> user):
>> 
>> wsUserID|i:1;wsToken|
s:32:"0ff5b9ecf52077fb05cc74731f13ba2b";wsUserName|
>> s:9:"WikiSysop";wsLoginToken|N;
> 
> You get a normal session.
> 
>> + Wait 60 seconds or more.
> 
> The session expires.
> 
> 
>> Edit the page by clicking on the edit tab.
> 
> This step is interesting, since the session is expired but you are
> treated as logged in. Maybe php is accepting the session, and then
> deleting it right away.
> 
> 
>> Make a change and save the
>> page. You will see the message "Sorry! We could not process your edit
>> due to a loss of session data. Please try again. If it still does not
>> work, try logging out and logging back in."
> 
> This is normal since you are trying to send a logged-in page as
> anonymous (token mismatch => that message).
> 
>> The session file will contain:
>> 
>> wsUserID|i:1;wsUserName|s:9:"WikiSysop";
> 
> Seems the wiki created a new session with the same name. Or perhaps it
> renewed only those two fields.
> 
>> Save the page again. This time it will work. The session data will not
>> change. Now look at Recent Changes. The edit will show the successful
>> edit assigned to an IP address not to the user.
> 
> You were now an IP, so it is normal that it produces the log as IP.
> 
>> If this result is reproducible, it indicates three problems.
> 
>> First, an
>> edit is allowed even though the session has expired.
> As far as you allow anoynmous editing, this is not a bug. There's no way
> to differenciate that. Unless we check that if there's an unknown
> session in a cookie to show a big warning and not allow him to send
> anything.
> 
>> Second, the edit is
>> assigned to an IP address (which, actually, is a direct result of the
>> first problem).
> 
> As far as you pressed 'Save' when the header showed you as a IP, this is
> normal behavior.
> 
>> Finally, I can continue to edit pages even though I am shown as logged
>> out (the "log in/create account" message is shown at the top of the
>> page).
> 
> As far as you allow anoynmous editing, this is normal behavior.
> 
> 
> I disagree on where are the bugs, but you are right that there's
> somehting strange going on with the session.

I should have mentioned that our wikis are set up so anonymous users can 
only read pages. You must be logged in to edit pages. However, when I set 
up the development wiki for the above test, I failed to set up 
permissions in that way. I will do so and get back to this thread with 
the results.

I have filed a bug - https://bugzilla.wikimedia.org/show_bug.cgi?id=32122

-- 
-- Dan Nessett