diff of my patch against BRANCH 1.16.2 User.php r64678
I found the following bug in User.php which is _only_ apparent when running a plurality of wikis on the same server and when users come to the different wikis during the same session.
(Fortunately, the current software fails safely and logs out the user, because the token will finally not match when users switch from one to another wiki in the same session. The patch presents a clean solution that also session parameters are saved per-wiki, which is currently not the case.)
When users access two wikis like http://server/wiki1 and http://server/wiki2 in the same session, the user credentials are taken with first priority from the session (see User.php loadFromSession).
Unlike the cookies names which already reflect the wiki database names in their cookie names like 'wiki1userID', the session currently only uses a database-INDEPENDT name 'wsUserID' etc. like $_SESSION['wsUserID'].
I developed a patch to make the session variables conform to the cookie names and wish to have this or a similar change submitted to the current TRUNK.
The attached patch is for BRANCH 1.16.2. Basically, I added $wgCookiePrefix to _all_ Session variables.
Version: 1.16.x
Severity: critical
Attached: