On Tue, 11 Oct 2011 14:37:56 -0700, Brion Vibber wrote:
On Tue, Oct 11, 2011 at 10:17 AM, Dan Nessett
<dnessett(a)yahoo.com>
wrote:
Thanks for your reply and for the clarification
about sessions not
associating with IP addresses. However, it seems unlikely that session
expiration is the problem.
Our wikis require login before users can do anything other than view
pages. However, when the situation I described previously occurs, the
user is able to edit pages and do anything else his permissions allow
when logged in. The problem appears to have something to do with the
way IP addresses are mapped to user names by the logging logic. That
is, the session is still active, but when entries are made in the logs,
the username is replaced either by the IP address of the request or by
the generic identifier "anonymous" (different behavior on different
wikis - probably a configuration issue, which I am investigating).
Ok, my suspicion is on
<https://bugzilla.wikimedia.org/show_bug.cgi?id=28639>, fixed in the
1.16.5 security release in May: <
http://lists.wikimedia.org/pipermail/mediawiki-announce/2011- May/000098.html
It looks like there may be some cases where session expiration (or
similar issues) might have left things in a state where the previous
user's permissions got kept but the other info got thrown away. This
would presumably allow edits etc to finish up, while recording them as
not a user id.
-- brion
Thanks. I will upgrade one of our wikis to 1.16.5 and see if that fixes
the problem. If so, I will upgrade the others.
--
-- Dan Nessett