Last modified: 2012-05-07 06:47:15 UTC
Hi, at de.wikipedia someone who seems reliable (8k edits) claims, that he was identified as a wrong user - he could do everything from this user (he posted a screenshot from the Settings (see http://de.wikipedia.org/wiki/Datei:Alasto2.png). His username is Marsupilami, the occupied username is Alasto2. His cookies are correct (see http://de.wikipedia.org/w/index.php?title=Wikipedia:Fragen_zur_Wikipedia&oldid=61039969#Wieso_bin_ich_nicht_mehr_ich.3F at the bottom). After having a quick look at CentralAuthUser.php it seems to me, that getSession() only looks after the MD5 hash in the Session cookie. So maybe it's unlikly, that two people have the same hash, but I think it would be better to also check the "centralauth_User" cookie. I'm not sure, if I see the code correctly, but there is the problem, that one user can see/do everything for another user.
Changing bug summary from speculation to observation, downgrading severity because it's very infrequent.
Yes, they could be session collisions. See bug 6464 for a previous instance of this bug. A username check like r42040 on CentralAuthUser::getSession() seems a good idea.
There is another question about this in de.wikipedia now and it seems, that it happend some weeks ago for another user, too. So, the known cases are not that rarely...
Committed a potential fix in r52194.
Happened to me today on en.wikipedia. My username is Pharos, and the other fellow's is John Darrow http://en.wikipedia.org/wiki/User_talk:John_Darrow#Major_bug
Just happened to me again, this time on Wikimedia Commons. My username is Pharos, and the other fellow's is Wohltemperierter_Autor.
Is this still happening to anyone?
Marking resolved. No reports in over two years.