Confirmed in trunk.
I detail what I think is happening:
- Access the wiki and login (DO NOT CHECK THE "REMEMBER ME" BOX). Move to
a wiki page that you can edit. A new session file is created and it will look something like (assuming you logged on as the WikiSysop user):
wsUserID|i:1;wsToken|s:32:"0ff5b9ecf52077fb05cc74731f13ba2b";wsUserName| s:9:"WikiSysop";wsLoginToken|N;
You get a normal session.
- Wait 60 seconds or more.
The session expires.
Edit the page by clicking on the edit tab.
This step is interesting, since the session is expired but you are treated as logged in. Maybe php is accepting the session, and then deleting it right away.
Make a change and save the page. You will see the message "Sorry! We could not process your edit due to a loss of session data. Please try again. If it still does not work, try logging out and logging back in."
This is normal since you are trying to send a logged-in page as anonymous (token mismatch => that message).
The session file will contain:
wsUserID|i:1;wsUserName|s:9:"WikiSysop";
Seems the wiki created a new session with the same name. Or perhaps it renewed only those two fields.
Save the page again. This time it will work. The session data will not change. Now look at Recent Changes. The edit will show the successful edit assigned to an IP address not to the user.
You were now an IP, so it is normal that it produces the log as IP.
If this result is reproducible, it indicates three problems.
First, an edit is allowed even though the session has expired.
As far as you allow anoynmous editing, this is not a bug. There's no way to differenciate that. Unless we check that if there's an unknown session in a cookie to show a big warning and not allow him to send anything.
Second, the edit is assigned to an IP address (which, actually, is a direct result of the first problem).
As far as you pressed 'Save' when the header showed you as a IP, this is normal behavior.
Finally, I can continue to edit pages even though I am shown as logged out (the "log in/create account" message is shown at the top of the page).
As far as you allow anoynmous editing, this is normal behavior.
I disagree on where are the bugs, but you are right that there's somehting strange going on with the session.