On Tue, Oct 11, 2011 at 10:17 AM, Dan Nessett dnessett@yahoo.com wrote:
Thanks for your reply and for the clarification about sessions not associating with IP addresses. However, it seems unlikely that session expiration is the problem.
Our wikis require login before users can do anything other than view pages. However, when the situation I described previously occurs, the user is able to edit pages and do anything else his permissions allow when logged in. The problem appears to have something to do with the way IP addresses are mapped to user names by the logging logic. That is, the session is still active, but when entries are made in the logs, the username is replaced either by the IP address of the request or by the generic identifier "anonymous" (different behavior on different wikis - probably a configuration issue, which I am investigating).
Ok, my suspicion is on https://bugzilla.wikimedia.org/show_bug.cgi?id=28639, fixed in the 1.16.5 security release in May: < http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html
It looks like there may be some cases where session expiration (or similar issues) might have left things in a state where the previous user's permissions got kept but the other info got thrown away. This would presumably allow edits etc to finish up, while recording them as not a user id.
-- brion