Confirmed in trunk.
I detail what I think is happening:
+ Access the wiki and login (DO NOT CHECK THE
"REMEMBER ME" BOX). Move to
a wiki page that you can edit. A new session file is created and it will
look something like (assuming you logged on as the WikiSysop user):
You get a normal session.
+ Wait 60 seconds or more.
The session expires.
Edit the page by clicking on the edit tab.
This step is interesting, since the session is expired but you are
treated as logged in. Maybe php is accepting the session, and then
deleting it right away.
Make a change and save the
page. You will see the message "Sorry! We could not process your edit due
to a loss of session data. Please try again. If it still does not work,
try logging out and logging back in."
This is normal since you are trying to send a logged-in page as
anonymous (token mismatch => that message).
The session file will contain:
Seems the wiki created a new session with the same name. Or perhaps it
renewed only those two fields.
Save the page again. This time it will work. The
session data will not
change. Now look at Recent Changes. The edit will show the successful
edit assigned to an IP address not to the user.
You were now an IP, so it is normal that it produces the log as IP.
If this result is reproducible, it indicates three
edit is allowed even though the session has expired.
As far as you allow anoynmous
editing, this is not a bug. There's no way
to differenciate that. Unless we check that if there's an unknown
session in a cookie to show a big warning and not allow him to send
Second, the edit is
assigned to an IP address (which, actually, is a direct result of the
As far as you pressed 'Save' when the header showed you as a IP, this is
Finally, I can continue to edit pages even though I am
shown as logged out (the "log in/create account" message is shown at the
top of the page).
As far as you allow anoynmous editing, this is normal behavior.
I disagree on where are the bugs, but you are right that there's
somehting strange going on with the session.