Hi!
I'm running MediaWiki 1.4.0 and have some problems: * Editing doesn't work properly: If I hit "Save page" I get the preview page instead. If I try often enough it will work. This problem occurs only when I'm logged in. * Rollback doesn't work properly: I get a message saying that there is a problem with my login session and that it was cancelled as a precaution against session hijacking. This problem can also be solved by trying often enough. * Same for uploading. * If I log in and don't activate the checkbox saying that the wiki should remember me across sessions I'm instantly logged out again if I load the next page.
I think the editing and logout problem are also related to the anti-session-hijacking mechanism, even if there's no error message saying this.
I'm not familiar with php or web programming in general but I figured out what the problem might be: The wiki is hosted at Sourceforge.net. sf.net uses multiple apache-servers to serve web pages. When a page is requested an apache is selected by some kind of load balancing mechanism. My theory is that the wiki thinks someone tries to hijack my session anytime the apache that serves my pages chances. This would also explain why retrying very often helps: If the same apache that processed my "edit page" request also processes my "save page" request the wiki detects nothing unusual and lets me save the page.
Has someone else experienced this problem and found a solution? Maybe it is possible to deactivate the session hijacking detection somehow?
I would be very grateful if someone could help me.
regards, Hanno
_____________________________
Elrador - Ein Onlinerollenspiel http://elrador.de
Elrador Engine - create your own online game http://elrador-engine.sf.net
Hanno Braun wrote: [snip]
The wiki is hosted at Sourceforge.net. sf.net uses multiple apache-servers to serve web pages. When a page is requested an apache is selected by some kind of load balancing mechanism.
[ship]
You need to set the session save path to a directory that's common to all servers instead of /tmp, which is on the local hard drive.
See: http://www.php.net/session http://www.php.net/ini_set
Note that Sourceforge's project web servers are deliberately configured in a very insecure way for a multiuser server farm; any other registered developer on any other project can read your session files, or use the database password in your LocalSettings.php to get into your project's MySQL database.
Due to the security situation I would recommend against running a wiki or any other database-driven or password-accepting application in your SourceForge project web space.
-- brion vibber (brion @ pobox.com)
Am 02.04.2005 um 23:02 schrieb Brion Vibber:
You need to set the session save path to a directory that's common to all servers instead of /tmp, which is on the local hard drive. [...]
Thank you. I managed to do this, no everything works perfectly.
Note that Sourceforge's project web servers are deliberately configured in a very insecure way for a multiuser server farm; [...] Due to the security situation I would recommend against running a wiki or any other database-driven or password-accepting application in your SourceForge project web space.
Thank you for this advice, but I'm already aware of the security risk. I'm doing daily database backups to a protected directory and I will place an advice on my website to tell my visitors about this risk. I don't like this situation, but the only alternatives that I see would be to place the wiki at some expensive hosting provider's webspace or on my own (very slow) servers.
Thank you for your help! Hanno
_____________________________
Elrador - Ein Onlinerollenspiel http://elrador.de
Elrador Engine - create your own online game http://elrador-engine.sf.net
mediawiki-l@lists.wikimedia.org