Page MenuHomePhabricator
Files F3179667

reset wsEditToken on login/logout
No One
Actions

Authored By
Bawolff
Dec 30 2015, 1:58 AM
Size
1 KB
Referenced Files
None
Subscribers
None

reset wsEditToken on login/logout
View Options

From e5adebd1d759d29e2be593ff67ac4263a8584554 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Tue, 29 Dec 2015 20:55:23 -0500
Subject: [PATCH] [Security] Reset wsEditToken on login
Bug: T122056
Change-Id: I03739e942b6c182ed9cbcd0d9615dcd799e8baed
---
includes/specials/SpecialUserlogin.php | 3 ++-
includes/user/User.php | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index fec1e3a..562d982 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -1616,7 +1616,8 @@ class LoginForm extends SpecialPage {
if ( $wgSecureLogin && !$this->mStickHTTPS ) {
$wgCookieSecure = false;
}
-
+ // Always make sure edit token is regenerated. (T114419)
+ $this->getRequest()->setSessionData( 'wsEditToken', null );
wfResetSessionID();
}
diff --git a/includes/user/User.php b/includes/user/User.php
index 8fa430f..669ac85 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3655,11 +3655,14 @@ class User implements IDBAccessObject {
$this->clearInstanceCache( 'defaults' );
$this->getRequest()->setSessionData( 'wsUserID', 0 );
+ $this->getRequest()->setSessionData( 'wsEditToken', null );
$this->clearCookie( 'UserID' );
$this->clearCookie( 'Token' );
$this->clearCookie( 'forceHTTPS', false, array( 'prefix' => '' ) );
+ wfResetSessionID();
+
// Remember when user logged out, to prevent seeing cached pages
$this->setCookie( 'LoggedOut', time(), time() + 86400 );
}
--
2.0.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3187954
Default Alt Text
reset wsEditToken on login/logout (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL