SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch
No One
Actions

Authored By

	Anomie
	Jan 15 2016, 11:56 PM

Size

1 KB

Referenced Files

None

Subscribers

None

SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch
View Options

	From 3438d516d6716fe3ebb6097596ef6d8833806fd3 Mon Sep 17 00:00:00 2001
	From: Brad Jorsch <bjorsch@wikimedia.org>
	Date: Fri, 15 Jan 2016 14:20:11 -0500
	Subject: [PATCH] SECURITY: Reset tokens on login/logout, and reset session on
	logout and API login

	Bug: T122056
	Change-Id: Icc5e549cd3e3aab4e2b9d63a84315a36643abc20
	---
	includes/api/ApiLogin.php \| 3 +++
	includes/specials/SpecialUserlogin.php \| 5 ++++-
	includes/user/User.php \| 2 ++
	3 files changed, 9 insertions(+), 1 deletion(-)

	diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
	index 0704eb8..8fcc1f8 100644
	--- a/includes/api/ApiLogin.php
	+++ b/includes/api/ApiLogin.php
	@@ -132,6 +132,9 @@ class ApiLogin extends ApiBase {
	$this->getContext()->setUser( $user );
	$user->setCookies( $this->getRequest(), null, true );

	+ $session->resetAllTokens();
	+ $session->resetId();
	+
	ApiQueryInfo::resetTokenCache();

	// Run hooks.
	diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
	index b3357ae..d799371 100644
	--- a/includes/specials/SpecialUserlogin.php
	+++ b/includes/specials/SpecialUserlogin.php
	@@ -1635,7 +1635,10 @@ class LoginForm extends SpecialPage {
	$wgCookieSecure = false;
	}

	- MediaWiki\Session\SessionManager::getGlobalSession()->resetId();
	+ // Always make sure edit token is regenerated. (T122056)
	+ $session = MediaWiki\Session\SessionManager::getGlobalSession();
	+ $session->resetAllTokens();
	+ $session->resetId();
	}

	/**
	diff --git a/includes/user/User.php b/includes/user/User.php
	index 62e1ab6..19d3b56 100644
	--- a/includes/user/User.php
	+++ b/includes/user/User.php
	@@ -3607,6 +3607,8 @@ class User implements IDBAccessObject {
	$session->setLoggedOutTimestamp( time() );
	$session->setUser( new User );
	$session->set( 'wsUserID', 0 ); // Other code expects this
	+ $session->resetAllTokens();
	+ $session->resetId();
	ScopedCallback::consume( $delay );
	}
	}
	--
	2.7.0.rc3

File Metadata

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 3239092
Default Alt Text: SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch (1 KB)

Attached To	Mode
rMW43cd4ec4a6c5: Update patch set 1	Attached	Detach File
T122056: Old tokens are remaining valid within a new session	Attached	Detach File

SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patchNo OneActions

SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patchView Options

File Metadata

Event Timeline

SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch
No One
Actions

SECURITY: Reset tokens on login/logout, and reset session on logout and API login.patch
View Options