On Tue, Oct 11, 2011 at 10:17 AM, Dan Nessett <dnessett(a)yahoo.com> wrote:
Thanks for your reply and for the clarification about
sessions not
associating with IP addresses. However, it seems unlikely that session
expiration is the problem.
Our wikis require login before users can do anything other than view
pages. However, when the situation I described previously occurs, the
user is able to edit pages and do anything else his permissions allow
when logged in. The problem appears to have something to do with the way
IP addresses are mapped to user names by the logging logic. That is, the
session is still active, but when entries are made in the logs, the
username is replaced either by the IP address of the request or by the
generic identifier "anonymous" (different behavior on different wikis -
probably a configuration issue, which I am investigating).
Ok, my suspicion is on <https://bugzilla.wikimedia.org/show_bug.cgi?id=28639>,
fixed in the 1.16.5 security release in May: <
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html
It looks like there may be some cases where session expiration (or similar
issues) might have left things in a state where the previous user's
permissions got kept but the other info got thrown away. This would
presumably allow edits etc to finish up, while recording them as not a user
id.
-- brion