I'm trying to build a mediawiki page on the Sourceforge servers (project: Pyarie). I've got the problem that whenever I log in, either as an account or as WikiSysop, I can't stay logged in. If I go to another page, it seems to log me out. Then, and most interesting, if I go back to a page that I've seen previously, it'll log me back in.
For instance, I was able to log in as WikiSysop, edit my preferences and then when I went to Main Page, I was suddenly not logged in. So I logged in under a user account, went to a page that I previously saw as WikiSysop, and I suddenly WAS WikiSysop- I tested it by editing a page.
I'm not sure if this is a problem with Mediawiki or my setup (likely the latter.). I've repeated the behaviour with the current stable and the latest beta version both.
I'm using Firefox 1.0, no extensions and I've played with cookies and caching and it does the same thing regardless of setting. Again, this is on the sourceforge servers with a clean install of mediawiki. I even deleted all the tables and tried to start from scratch and the same thing happend.
Any ideas? What am I missing?
Cheers, -JW
Jonathan Pennington wrote:
I'm trying to build a mediawiki page on the Sourceforge servers (project: Pyarie). I've got the problem that whenever I log in, either as an account or as WikiSysop, I can't stay logged in. If I go to another page, it seems to log me out.
Sourceforge's project web hosting provides very poor PHP support unfortunately. First, it's set up fairly insecurely, so remember that for instance any other Sourceforge user with a developer login can read your database password.
Regarding sessions in particuar: the project web hosting is on a cluster of several servers, and they do not by default share session files. This means that when you open a login session, and then go to another page, the second page is probably loaded from a different server which doesn't see your session data. Load another page, maybe you hit the first server again, maybe you don't.
You can create a directory in your project space and set the session.save_path configuration variable with ini_set() in your LocalSettings.php. This should allow sessions to work and be shared across servers, but note that other Sourceforge account holders will be able to read and probably write to your session data.
http://www.php.net/session http://www.php.net/ini_set
-- brion vibber (brion @ pobox.com)
Brion, Thank you so much. I started thinking that I was going crazy. I'll look into the session handling functions and see what I can do about security. I wonder why SF would have such security issues. I'll especially remember your advice about database passwords and session files.
Cheers, -John
Brion Vibber wrote:
Jonathan Pennington wrote:
I'm trying to build a mediawiki page on the Sourceforge servers (project: Pyarie). I've got the problem that whenever I log in, either as an account or as WikiSysop, I can't stay logged in. If I go to another page, it seems to log me out.
Sourceforge's project web hosting provides very poor PHP support unfortunately. First, it's set up fairly insecurely, so remember that for instance any other Sourceforge user with a developer login can read your database password.
Regarding sessions in particuar: the project web hosting is on a cluster of several servers, and they do not by default share session files. This means that when you open a login session, and then go to another page, the second page is probably loaded from a different server which doesn't see your session data. Load another page, maybe you hit the first server again, maybe you don't.
You can create a directory in your project space and set the session.save_path configuration variable with ini_set() in your LocalSettings.php. This should allow sessions to work and be shared across servers, but note that other Sourceforge account holders will be able to read and probably write to your session data.
http://www.php.net/session http://www.php.net/ini_set
-- brion vibber (brion @ pobox.com)
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Brion, I did some digging and found that using session.cookie_domain by setting it to the main domain '.sourceforge.net' will automatically make the cookie valid for any XX.sourceforge.net server. I found $wgCookieDomain in DefaultSettings.php and set it in LocalSettings.php. This seems to work, and eliminates my other problem of not being able to do admin tasks from the web. Unless there are any issues with this method, it seems a bit better than a directory in the project space.
Thanks so much! -JW
Jonathan Pennington wrote:
I did some digging and found that using session.cookie_domain by setting it to the main domain '.sourceforge.net' will automatically make the cookie valid for any XX.sourceforge.net server. I found $wgCookieDomain in DefaultSettings.php and set it in LocalSettings.php. This seems to work, and eliminates my other problem of not being able to do admin tasks from the web. Unless there are any issues with this method, it seems a bit better than a directory in the project space.
I wouldn't expect that to affect this problem at all; every request to your project will go to the same hostname, even though they are hitting different machines on the other end.
Cookie management is done on the browser side, which doesn't know that foobar.sourceforge.net at time T and foobar.sourceforge.net at time T+1 are different computers. It will send the cookies with both requests.
-- brion vibber (brion @ pobox.com)
Brion,
You're right. I think I was just luckily hitting the same server because it stopped very quickly after that. The strange thing is that the session.save_path method seems to have stopped working as well.
Are there others on SourceForge servers using this method, or has everyone moved their webhosting of their sites?
Cheers, -JW
Brion Vibber wrote:
I wouldn't expect that to affect this problem at all; every request to your project will go to the same hostname, even though they are hitting different machines on the other end.
Cookie management is done on the browser side, which doesn't know that foobar.sourceforge.net at time T and foobar.sourceforge.net at time T+1 are different computers. It will send the cookies with both requests.
-- brion vibber (brion @ pobox.com)
mediawiki-l@lists.wikimedia.org