Author: dnessett

Description:
This bug was discovered while working on bug 32122
(https://bugzilla.wikimedia.org/show_bug.cgi?id=32122). In order to reproduce
it reliably, a developer must make the following changes to php.ini (this
should *not* be done on a production machine, since the settings force the PHP
garbage collector to run on every page access).

session.gc_probability = 100
session.gc_divisor = 100
session.gc_maxlifetime = 60
session.save_path = <some directory writable by httpd>

login (DO NOT CHECK THE "REMEMBER ME" BOX).

Print the contents of the session file (this is most easily accomplished by deleting all session files before login, which will mean only one session file exists after login). The session contents will look something like:

wsUserID|i:1;wsToken|s:32:"895091d5eb444a89d6e29b679b4ec8ac";wsUserName|s:9:"WikiSysop";wsLoginToken|N;

+ Wait 60 seconds or more.

Refresh the page.

The login status line will show something like:

<username> My talk My preferences My watchlist My contributions Log out

where <username> indicates the name of the user who logged in. However, the session file will contain something like:

wsUserID|i:1;wsUserName|s:9:"WikiSysop";

This means the user is actually logged out. So the login status line is incorrectly displayed. If you refresh the page once again, the login status line correctly indicates the user is logged out.

In a post to Mediawiki-l (http://www.mail-archive.com/mediawiki-l@lists.wikimedia.org/msg08967.html), Brion Vibber indicates this problem would be fixed if the enhancement request in https://bugzilla.wikimedia.org/show_bug.cgi?id=31639 were implemented.

Version: 1.16.x
Severity: normal