r52194 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r52193‎ \| r52194 \| r52195 >
Date:	10:43, 20 June 2009
Author:	werdna
Status:	deferred
Tags:
Comment:	(bug 19158) For sanity, check that the session matches the User when automatically logging users in. Avoids session collisions causing users to be randomly logged-in as another user.
Modified paths:	/trunk/extensions/CentralAuth/CentralAuthHooks.php (modified) (history)

Diff [purge]

Index: trunk/extensions/CentralAuth/CentralAuthHooks.php
—	—	@@ -182,6 +182,17 @@
183	183	wfDebug( __METHOD__.": no token or session\n" );
184	184	return true;
185	185	}
	186	+
	187	+ // Sanity check to avoid session ID collisions, as reported on bug 19158
	188	+ if ( !isset($_COOKIE["{$prefix}User"]) ) {
	189	+ wfDebug( __METHOD__.": no User cookie, so unable to check for session mismatch\n" );
	190	+ return;
	191	+ } elseif ( $_COOKIE["{$prefix}User"] != $userName ) {
	192	+ wfDebug( __METHOD__.": Session ID/User mismatch. Possible session collision. ".
	193	+ "Expected: $userName; actual: ".
	194	+ $_COOKIE["{$prefix}User"]."\n" );
	195	+ return;
	196	+ }
186	197
187	198	// Clean up username
188	199	$title = Title::makeTitleSafe( NS_USER, $userName );

00:20, 14 September 2011 Meno25 (talk | contribs) changed the status of r52194 [removed: old added: deferred]
01:02, 14 November 2010 Reedy (talk | contribs) changed the status of r52194 [removed: new added: old]