[Mediawiki-l] MW seems to get confused when IP address of client machine changes while user is logged in

Dan Nessett dnessett at yahoo.com
Fri Nov 11 20:37:21 UTC 2011


On Tue, 11 Oct 2011 14:37:56 -0700, Brion Vibber wrote:

> On Tue, Oct 11, 2011 at 10:17 AM, Dan Nessett <dnessett at yahoo.com>
> wrote:
> 
>> Thanks for your reply and for the clarification about sessions not
>> associating with IP addresses. However, it seems unlikely that session
>> expiration is the problem.
>>
>> Our wikis require login before users can do anything other than view
>> pages. However, when the situation I described previously occurs, the
>> user is able to edit pages and do anything else his permissions allow
>> when logged in. The problem appears to have something to do with the
>> way IP addresses are mapped to user names by the logging logic. That
>> is, the session is still active, but when entries are made in the logs,
>> the username is replaced either by the IP address of the request or by
>> the generic identifier "anonymous" (different behavior on different
>> wikis - probably a configuration issue, which I am investigating).
>>
>>
> Ok, my suspicion is on
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=28639>, fixed in the
> 1.16.5 security release in May: <
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-
May/000098.html
>>
>>
> It looks like there may be some cases where session expiration (or
> similar issues) might have left things in a state where the previous
> user's permissions got kept but the other info got thrown away. This
> would presumably allow edits etc to finish up, while recording them as
> not a user id.
> 
> -- brion

I have verified that this problem is fixed in 1.16.5. See comment 19 of 
bug 32122 (https://bugzilla.wikimedia.org/show_bug.cgi?id=32122). I have 
closed the bug ticket with a status of resolved/fixed.


-- 
-- Dan Nessett




More information about the MediaWiki-l mailing list