On Tue, 01 Nov 2011 17:38:41 +0000, Dan Nessett wrote:
I should have mentioned that our wikis are set up so anonymous users can only read pages. You must be logged in to edit pages. However, when I set up the development wiki for the above test, I failed to set up permissions in that way. I will do so and get back to this thread with the results.
I have filed a bug - https://bugzilla.wikimedia.org/show_bug.cgi?id=32122
I have run the test on wikis with permissions set as indicated above. In both MW 1.16.2 and MW 1.16.5, the following message is displayed.
"You do not have permission to edit this page, for the following reason:
The action you have requested is limited to users in one of the groups: Users, Administrators.
You can view and copy the source of this page:"
So, I cannot reproduce the bug I am chasing.
I should mention that the motivation for this line of investigation arose from an intermittent problem on our wikis (which run 1.16.2). Occasionally edit records in Recent Changes would show up with the IP address of the user making the edit. This should never happen on our wikis since, as stated previously, only logged in users should have page edit privileges.
So, while I still believe there is a problem with PHP sessions, I cannot yet reproduce the intermittent problem we observe. However, other improper behavior is reproducible.
For example on both MW 1.16.2 and MW 1.16.5 if you execute the procedure specified earlier in this thread up to the point where an edit is attempted (i.e., log in and wait 60 seconds). Then instead of editing, simply refresh the page, the line at the top of the page still shows the user logged in. However, the session record changes from (before the 60 second timeout):
wsUserID|i:1;wsToken|s:32:"0ff5b9ecf52077fb05cc74731f13ba2b";wsUserName| s:9:"WikiSysop";wsLoginToken|N;
to (after the page refresh):
wsUserID|i:1;wsUserName|s:9:"WikiSysop";
It isn't clear why the session file remains after the page refresh, since it should have been cleared by the PHP garbage collector. Furthermore, it isn't clear why the session record contains a wsUserName value of WikiSysop. Since the user is logged out (although this isn't indicated on the browser page), the session record should show an anonymous user.
If you refresh the page again, the logged in/out line is properly displayed as logged out, but the session record has not changed. That is, it still equals:
wsUserID|i:1;wsUserName|s:9:"WikiSysop";
Finally, sometimes when logging in after refreshing the page twice, the following error message is displayed:
"Login error There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again."
The session data at this point reads:
wsUserID|i:1;wsUserName|s:9:"WikiSysop";wsLoginToken| s:32:"3bc03a309dd80ff94633dc6b43218309";
This appears to improperly associate the username WikiSysop with an anonymous login token.
I have updated the bug report to reflect the current state of understanding about the problem.