Page MenuHomePhabricator

[OBSOLETE] SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch

Authored By
Anomie
Jan 15 2016, 7:22 PM
Size
1 KB
Referenced Files
None
Subscribers
None

[OBSOLETE] SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch

From 696672034b4e78e48dfa4c794fe27acfeefc68e6 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 15 Jan 2016 14:20:11 -0500
Subject: [PATCH] SECURITY: Reset tokens on login/logout, and reset session on
logout and API login
Bug: T122056
Change-Id: Icc5e549cd3e3aab4e2b9d63a84315a36643abc20
---
includes/api/ApiLogin.php | 3 +++
includes/specials/SpecialUserlogin.php | 5 ++++-
includes/user/User.php | 2 ++
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 0704eb8..8fcc1f8 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -132,6 +132,9 @@ class ApiLogin extends ApiBase {
$this->getContext()->setUser( $user );
$user->setCookies( $this->getRequest(), null, true );
+ $session->resetAllTokens();
+ $session->resetId();
+
ApiQueryInfo::resetTokenCache();
// Run hooks.
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index b3357ae..2794b4e 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -1635,7 +1635,10 @@ class LoginForm extends SpecialPage {
$wgCookieSecure = false;
}
- MediaWiki\Session\SessionManager::getGlobalSession()->resetId();
+ // Always make sure edit token is regenerated. (T114419)
+ $session = MediaWiki\Session\SessionManager::getGlobalSession();
+ $session->resetAllTokens();
+ $session->resetId();
}
/**
diff --git a/includes/user/User.php b/includes/user/User.php
index 62e1ab6..19d3b56 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3607,6 +3607,8 @@ class User implements IDBAccessObject {
$session->setLoggedOutTimestamp( time() );
$session->setUser( new User );
$session->set( 'wsUserID', 0 ); // Other code expects this
+ $session->resetAllTokens();
+ $session->resetId();
ScopedCallback::consume( $delay );
}
}
--
2.7.0.rc3

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3238676
Default Alt Text
[OBSOLETE] SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch (1 KB)

Event Timeline

Anomie updated the name for this file from "SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch" to "[OBSOLETE] SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch".Jan 15 2016, 11:57 PM