On Tue, 01 Nov 2011 17:38:41 +0000, Dan Nessett wrote:
I should have mentioned that our wikis are set up so anonymous users can
only read pages. You must be logged in to edit pages. However, when I
set up the development wiki for the above test, I failed to set up
permissions in that way. I will do so and get back to this thread with
I have filed a bug -
I have run the test on wikis with permissions set as indicated above. In
both MW 1.16.2 and MW 1.16.5, the following message is displayed.
"You do not have permission to edit this page, for the following reason:
The action you have requested is limited to users in one of the groups:
You can view and copy the source of this page:"
So, I cannot reproduce the bug I am chasing.
I should mention that the motivation for this line of investigation arose
from an intermittent problem on our wikis (which run 1.16.2).
Occasionally edit records in Recent Changes would show up with the IP
address of the user making the edit. This should never happen on our
wikis since, as stated previously, only logged in users should have page
So, while I still believe there is a problem with PHP sessions, I cannot
yet reproduce the intermittent problem we observe. However, other
improper behavior is reproducible.
For example on both MW 1.16.2 and MW 1.16.5 if you execute the procedure
specified earlier in this thread up to the point where an edit is
attempted (i.e., log in and wait 60 seconds). Then instead of editing,
simply refresh the page, the line at the top of the page still shows the
user logged in. However, the session record changes from (before the 60
to (after the page refresh):
It isn't clear why the session file remains after the page refresh, since
it should have been cleared by the PHP garbage collector. Furthermore, it
isn't clear why the session record contains a wsUserName value of
WikiSysop. Since the user is logged out (although this isn't indicated on
the browser page), the session record should show an anonymous user.
If you refresh the page again, the logged in/out line is properly
displayed as logged out, but the session record has not changed. That is,
it still equals:
Finally, sometimes when logging in after refreshing the page twice, the
following error message is displayed:
There seems to be a problem with your login session; this action has
been canceled as a precaution against session hijacking. Go back to the
previous page, reload that page and then try again."
The session data at this point reads:
This appears to improperly associate the username WikiSysop with an
anonymous login token.
I have updated the bug report to reflect the current state of
understanding about the problem.
-- Dan Nessett