Last modified: 2012-05-07 06:47:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T21158, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 19158 - Logged in as another user
Logged in as another user
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
CentralAuth (Other open bugs)
unspecified
All All
: Low major (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-11 14:37 UTC by Christian Thiele
Modified: 2012-05-07 06:47 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Christian Thiele 2009-06-11 14:37:25 UTC
Hi,

at de.wikipedia someone who seems reliable (8k edits) claims, that he was identified as a wrong user - he could do everything from this user (he posted a screenshot from the Settings (see http://de.wikipedia.org/wiki/Datei:Alasto2.png).

His username is Marsupilami, the occupied username is Alasto2.

His cookies are correct (see http://de.wikipedia.org/w/index.php?title=Wikipedia:Fragen_zur_Wikipedia&oldid=61039969#Wieso_bin_ich_nicht_mehr_ich.3F at the bottom). 

After having a quick look at CentralAuthUser.php it seems to me, that getSession() only looks after the MD5 hash in the Session cookie. So maybe it's unlikly, that two people have the same hash, but I think it would be better to also check the "centralauth_User" cookie. I'm not sure, if I see the code correctly, but there is the problem, that one user can see/do everything for another user.
Comment 1 Andrew Garrett 2009-06-11 14:41:38 UTC
Changing bug summary from speculation to observation, downgrading severity because it's very infrequent.
Comment 2 Platonides 2009-06-11 15:27:01 UTC
Yes, they could be session collisions.
See bug 6464 for a previous instance of this bug.

A username check like r42040 on CentralAuthUser::getSession() seems a good idea.
Comment 3 Christian Thiele 2009-06-17 23:18:27 UTC
There is another question about this in de.wikipedia now and it seems, that it happend some weeks ago for another user, too. So, the known cases are not that rarely...
Comment 4 Andrew Garrett 2009-06-20 10:43:25 UTC
Committed a potential fix in r52194.
Comment 5 Pharos 2009-06-28 01:54:24 UTC
Happened to me today on en.wikipedia.

My username is Pharos, and the other fellow's is John Darrow

http://en.wikipedia.org/wiki/User_talk:John_Darrow#Major_bug
Comment 6 Pharos 2009-07-11 16:01:32 UTC
Just happened to me again, this time on Wikimedia Commons.

My username is Pharos, and the other fellow's is Wohltemperierter_Autor.
Comment 7 Hazard-SJ 2011-11-04 03:35:18 UTC
Is this still happening to anyone?
Comment 8 Siebrand Mazeland 2012-05-07 06:47:15 UTC
Marking resolved. No reports in over two years.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links