Page MenuHomePhabricator
Create Task
Maniphest T21158

Logged in as another user
Closed, ResolvedPublic
Actions

Description

Hi,

at de.wikipedia someone who seems reliable (8k edits) claims, that he was identified as a wrong user - he could do everything from this user (he posted a screenshot from the Settings (see http://de.wikipedia.org/wiki/Datei:Alasto2.png).

His username is Marsupilami, the occupied username is Alasto2.

His cookies are correct (see http://de.wikipedia.org/w/index.php?title=Wikipedia:Fragen_zur_Wikipedia&oldid=61039969#Wieso_bin_ich_nicht_mehr_ich.3F at the bottom).

After having a quick look at CentralAuthUser.php it seems to me, that getSession() only looks after the MD5 hash in the Session cookie. So maybe it's unlikly, that two people have the same hash, but I think it would be better to also check the "centralauth_User" cookie. I'm not sure, if I see the code correctly, but there is the problem, that one user can see/do everything for another user.

Version: unspecified
Severity: major

Details

Reference
bz19158

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:40 PM
bzimport added a project: MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz19158.
bzimport added a subscriber: Unknown Object (MLST).
APPER created this task.Jun 11 2009, 2:37 PM
werdna added a comment.Jun 11 2009, 2:41 PM

Changing bug summary from speculation to observation, downgrading severity because it's very infrequent.

Platonides added a comment.Jun 11 2009, 3:27 PM

Yes, they could be session collisions.
See bug 6464 for a previous instance of this bug.

A username check like r42040 on CentralAuthUser::getSession() seems a good idea.

APPER added a comment.Jun 17 2009, 11:18 PM

There is another question about this in de.wikipedia now and it seems, that it happend some weeks ago for another user, too. So, the known cases are not that rarely...

werdna added a comment.Jun 20 2009, 10:43 AM

Committed a potential fix in r52194.

Pharos added a comment.Jun 28 2009, 1:54 AM

Happened to me today on en.wikipedia.

My username is Pharos, and the other fellow's is John Darrow

http://en.wikipedia.org/wiki/User_talk:John_Darrow#Major_bug

Pharos added a comment.Jul 11 2009, 4:01 PM

Just happened to me again, this time on Wikimedia Commons.

My username is Pharos, and the other fellow's is Wohltemperierter_Autor.

Hazard-SJ added a comment.Nov 4 2011, 3:35 AM

Is this still happening to anyone?

siebrand added a comment.May 7 2012, 6:47 AM

Marking resolved. No reports in over two years.

MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 6:09 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL