On Mon, 10 Oct 2011 12:44:57 -0700, Brion Vibber
wrote:
On Mon, Oct 10, 2011 at 11:16 AM, Dan Nessett
<dnessett(a)yahoo.com>
wrote:
We have been experiencing problems with MW 1.16.2
related to logged in
users on client machines where the IP address changes. I have looked
over the Bugzilla reports but could not find anything obviously
related.
If a user with a laptop logs into the wiki, puts the laptop to sleep,
moves to a different location and then attempts to continue
processing, the logs show his changes mapped to an IP address (or on
one of our wikis as anonymous), rather than his user name. A simple
thought experiment suggests the cookie presented to the wiki after the
laptop move has a different IP address than the request message. This
confuses MW, giving the user all his permissions (since he is logged
in), but not properly identifying the user's name in the logs.
Session cookies are not tied to IP addresses. Most likely, the session
has simply expired -- it won't make a difference whether you come back
on a different IP or the same one, expired session data will kill your
login.
Note that in the case of session expiration, the caching workaround
that we perform on logout (setting a 'logged out at time X' cookie)
doesn't work, so you may initially see a couple page views that still
look like you're logged in. You should not see this confusion on the
actual edit page itself -- this won't be cached so should show you that
you are not logged out.
Consider increasing PHP's session lifetime:
http://us2.php.net/manual/en/session.configuration.php#ini.session.gc-
maxlifetime
the default is 1440 seconds (24 minutes), meaning that a session which
doesn't get touched for 24 minutes may get destroyed during garbage
collection.
It's also possible that there's something else in your system which
introduces an IP-address dependency for sessions, such as the session
encryption option in the suhosin plugin with some unsafe configuration
options used:
http://www.hardened-php.net/suhosin/
configuration.html#suhosin.session.checkraddr
-- brion
Thanks for your reply and for the clarification about sessions not
associating with IP addresses. However, it seems unlikely that session
expiration is the problem.
Our wikis require login before users can do anything other than view
pages. However, when the situation I described previously occurs, the
user is able to edit pages and do anything else his permissions allow
when logged in. The problem appears to have something to do with the way
IP addresses are mapped to user names by the logging logic. That is, the
session is still active, but when entries are made in the logs, the
username is replaced either by the IP address of the request or by the
generic identifier "anonymous" (different behavior on different wikis -
probably a configuration issue, which I am investigating).
I need to clarify one thing. For a revision deletion/restore, the
identifier "Anonymous" appears in the deletion log, not in Recent
Changes, which has the IP address of the request). Recent changes always
records the IP address.
--
-- Dan Nessett