Author: dnessett

Description:
This bug was discovered while working on bug 32122 (https://bugzilla.wikimedia.org/show_bug.cgi?id=32122). In order to reproduce it reliably, a developer must make the following changes to php.ini (this should *not* be done on a production machine, since the settings force the PHP garbage collector to run on every page access).

• session.gc_probability = 100
• session.gc_divisor = 100
• session.gc_maxlifetime = 60
• session.save_path = <some directory writable by httpd>

After making these changes restart httpd. Then execute the following:

Login

Immediately log out

Wait more than 60 seconds. Do not change the page, stay on the "Log out" page
which states: "You are now logged out. You can continue to use MW_1_16_5
anonymously ..."

Login

The error:

"Login error
There seems to be a problem with your login session; this action has been
canceled as a precaution against session hijacking. Go back to the previous
page, reload that page and then try again."

is displayed.

This bug appears to arise due to session management logic in MW in tandem with PHP session garbage collection. One commenter on bug 32122 suggests this is expected behavior. However, from a user's point of view that is highly unlikely.

One possible solution is to destroy the session on logout. There is a PHP function, session_destroy that destroys session data, but it isn't clear whether that function actually deletes the session file. Also, it isn't clear how to delete sessions held by memcached.

Version: 1.16.x
Severity: normal