[Mediawiki-l] Missing session_start in SpecialUpload?

Stephen Warren swarren at wwwdotorg.org
Wed Feb 1 20:17:32 UTC 2006

Brion Vibber wrote:
>> Note: I'm running extensions/Auth_remoteuser.php to re-use HTTP AUTH in
>> the web server. I'm hoping that's not causing this problem?
> Sounds like.

OK. I've tracked down where wfSpecialUserlogin is called -
includes/SpecialPage.php does it when executing a special page, but grep
wasn't finding it, because the function is looked up at run-time by name
from a value in a string!

So, I see wfSpecialUserlogin will create a session the very first time
you hit the Special:Userlogin page. However, with Auth_remoteuser.php
(since authentication is inherited from the webserver login, without a
separate MediaWiki login), the user never hits this page, and hence
never has a session setup.

For a simple fix, I'll modify Auth_remoteuser.php to do the same thing
that SpecialPage.php does:

if( !$wgCommandLineMode && !isset( $_COOKIE[session_name()] )  ) {

However, I wonder if Auth_remoteuser.php shouldn't do something more
like below, so it automatically uses whatever code is in
wfSpecialUserlogin, rather than pasting it into the hook function...

if no session key:
  if at Special:Userlogin page
    display error
  # whatever Userlogin wants to redirect back here after acces
  args = "redirect_to=current_page"
  force redirect to Special:Userlogin?args

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20060201/79db0641/attachment.pgp 

More information about the MediaWiki-l mailing list