[Mediawiki-l] MW seems to get confused when IP address of client machine changes while user is logged in

Dan Nessett dnessett at yahoo.com
Tue Nov 1 18:43:47 UTC 2011 

On Tue, 01 Nov 2011 17:38:41 +0000, Dan Nessett wrote:

> 
> I should have mentioned that our wikis are set up so anonymous users can
> only read pages. You must be logged in to edit pages. However, when I
> set up the development wiki for the above test, I failed to set up
> permissions in that way. I will do so and get back to this thread with
> the results.
> 
> I have filed a bug -
> https://bugzilla.wikimedia.org/show_bug.cgi?id=32122

I have run the test on wikis with permissions set as indicated above. In 
both MW 1.16.2 and MW 1.16.5, the following message is displayed.

"You do not have permission to edit this page, for the following reason: 

The action you have requested is limited to users in one of the groups: 
Users, Administrators. 

You can view and copy the source of this page:"

So, I cannot reproduce the bug I am chasing.

I should mention that the motivation for this line of investigation arose 
from an intermittent problem on our wikis (which run 1.16.2). 
Occasionally edit records in Recent Changes would show up with the IP 
address of the user making the edit. This should never happen on our 
wikis since, as stated previously, only logged in users should have page 
edit privileges.

So, while I still believe there is a problem with PHP sessions, I cannot 
yet reproduce the intermittent problem we observe. However, other 
improper behavior is reproducible.

For example on both MW 1.16.2 and MW 1.16.5 if you execute the procedure 
specified earlier in this thread up to the point where an edit is 
attempted (i.e., log in and wait 60 seconds). Then instead of editing, 
simply refresh the page, the line at the top of the page still shows the 
user logged in. However, the session record changes from (before the 60 
second timeout):

wsUserID|i:1;wsToken|s:32:"0ff5b9ecf52077fb05cc74731f13ba2b";wsUserName|
s:9:"WikiSysop";wsLoginToken|N;

to (after the page refresh):

wsUserID|i:1;wsUserName|s:9:"WikiSysop";

It isn't clear why the session file remains after the page refresh, since 
it should have been cleared by the PHP garbage collector. Furthermore, it 
isn't clear why the session record contains a wsUserName value of 
WikiSysop. Since the user is logged out (although this isn't indicated on 
the browser page), the session record should show an anonymous user.

If you refresh the page again, the logged in/out line is properly 
displayed as logged out, but the session record has not changed. That is, 
it still equals:

wsUserID|i:1;wsUserName|s:9:"WikiSysop";

Finally, sometimes when logging in after refreshing the page twice, the 
following error message is displayed:

"Login error
 There seems to be a problem with your login session; this action has 
been canceled as a precaution against session hijacking. Go back to the 
previous page, reload that page and then try again."

The session data at this point reads:

wsUserID|i:1;wsUserName|s:9:"WikiSysop";wsLoginToken|
s:32:"3bc03a309dd80ff94633dc6b43218309";

This appears to improperly associate the username WikiSysop with an 
anonymous login token.

I have updated the bug report to reflect the current state of 
understanding about the problem.

-- 
-- Dan Nessett

More information about the MediaWiki-l mailing list