Last modified: 2012-05-07 06:47:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 19158 - Logged in as another user
Logged in as another user
Product: MediaWiki extensions
Classification: Unclassified
CentralAuth (Other open bugs)
All All
: Low major (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2009-06-11 14:37 UTC by Christian Thiele
Modified: 2012-05-07 06:47 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Christian Thiele 2009-06-11 14:37:25 UTC

at de.wikipedia someone who seems reliable (8k edits) claims, that he was identified as a wrong user - he could do everything from this user (he posted a screenshot from the Settings (see

His username is Marsupilami, the occupied username is Alasto2.

His cookies are correct (see at the bottom). 

After having a quick look at CentralAuthUser.php it seems to me, that getSession() only looks after the MD5 hash in the Session cookie. So maybe it's unlikly, that two people have the same hash, but I think it would be better to also check the "centralauth_User" cookie. I'm not sure, if I see the code correctly, but there is the problem, that one user can see/do everything for another user.
Comment 1 Andrew Garrett 2009-06-11 14:41:38 UTC
Changing bug summary from speculation to observation, downgrading severity because it's very infrequent.
Comment 2 Platonides 2009-06-11 15:27:01 UTC
Yes, they could be session collisions.
See bug 6464 for a previous instance of this bug.

A username check like r42040 on CentralAuthUser::getSession() seems a good idea.
Comment 3 Christian Thiele 2009-06-17 23:18:27 UTC
There is another question about this in de.wikipedia now and it seems, that it happend some weeks ago for another user, too. So, the known cases are not that rarely...
Comment 4 Andrew Garrett 2009-06-20 10:43:25 UTC
Committed a potential fix in r52194.
Comment 5 Pharos 2009-06-28 01:54:24 UTC
Happened to me today on en.wikipedia.

My username is Pharos, and the other fellow's is John Darrow
Comment 6 Pharos 2009-07-11 16:01:32 UTC
Just happened to me again, this time on Wikimedia Commons.

My username is Pharos, and the other fellow's is Wohltemperierter_Autor.
Comment 7 Hazard-SJ 2011-11-04 03:35:18 UTC
Is this still happening to anyone?
Comment 8 Siebrand Mazeland 2012-05-07 06:47:15 UTC
Marking resolved. No reports in over two years.

Note You need to log in before you can comment on or make changes to this bug.