When logging into my dev wikis (post session manager), CentralAuth logins fail with "No active login attempt is in progress for your session." whenever the password hash is updated as part of the login process.
|Resolved||• Bawolff||T122164 Better limitation on number of password guesses people can make|
|Duplicate||None||T122123 Send echo notification to user of how many failed logins there was since last successful login|
|Open||None||T122248 Password/login related security issues (Tracking)|
|Resolved||demon||T124940 MediaWiki 1.26.3 security release|
|Resolved||csteipp||T116030 Increase pbkdf2 parameter strengths|
|Resolved||None||T127396 Logins with CentralAuth fail when password re-hashed|
It's not so much that the password hash is updated as it is that the update is calling CentralAuthUser::setPassword() with $resetAuthToken true, which changes the auth token. But the User object being used by CentralAuthSessionProvider has a different CentralAuthUser instance, which has already been loaded and doesn't know there's a new auth token, so it winds up storing the old token into the session, so the session fails to load on the next pageview.
Two possibilities for fixing this come to mind:
- Arrange for CentralAuthUser::getInstance() to return the same instance if passed two different User objects for the same user.
- Set some sort of flag to tell other CentralAuthUser instances for the same username that they need to reload.