Topic on Project:Support desk

Session Hijacking error after Update 1.19.14

13
Summary by Ciencia Al Poder

For MediaWiki 1.27 error, see Topic:T75cloz7981b8i92

194.138.39.53 (talkcontribs)

Hello,

after updating my Intranet-Wiki to Mediawiki 1.19.14 I receive an error on every Password Reset. This can be reproduced by all users: There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again.

I already tried different things, but can't find a solutiong. My /tmp is writeable. I am using Mediawiki 1.19.14, PHP 5.3.10, MySQL 5.5.35 on an Ubuntu 12.04 LTS. Can anybody please help on this issue?

Thanks in Advance.

AKlapper (WMF) (talkcontribs)

Who triggers that error? MediaWiki itself? Your browser?

194.138.39.53 (talkcontribs)

The error ist triggered by Mediawiki. I commented out the Diffs which came with MW 1.19.14 to includes/special/SpecialChangePassword.php and the errors dissapear.

AKlapper (WMF) (talkcontribs)
Grunny (talkcontribs)

This was a mistake in the backport to MW 1.19.14. I already sent a patch for it to Markus to see if we can get the fix released. If you want to fix it in the mean time, open up includes/specials/SpecialChangePassword.php go to line 154 which should be:

			$loginOnChangeToken = LoginForm::getLoginToken();

And change it to:

			$loginOnChangeToken = Html::hidden( 'wpLoginOnChangeToken', LoginForm::getLoginToken() );
194.138.39.53 (talkcontribs)

This fix works, thank you very much!

117.193.4.10 (talkcontribs)

The error here occurred in a MediaWiki v1.16.5 install in BlueOnyx server. The Apache error log exceeded 3.2GB was corrected by purging it with:

>/var/log/httpd/error_log
Zzmonty (talkcontribs)

I just tried to install 1.27, clean install, and I also got this error. What I did notice was that at one point the installer asks "End now" or "ask more questions." If I tried to install through the whole installer, I would get this error. If I stopped the installation after the "End now", I would not get this session error. It is really annoying that this problem still exists in version 1.27.

205.213.104.120 (talkcontribs)

I was having the exact same problem with 1.27.1 and comparing the resulting setting files showed the difference to be in $wgMainCacheType. Logins worked when caching was disabled, and after a bit more poking around it seems to be a problem with APCu session caching not working. The following is what did it for me:

$wgMainCacheType = CACHE_ACCEL;

$wgSessionCacheType = CACHE_DB;

This post was hidden by 2A02:1810:A438:8E00:A054:5808:5A:8989 (history)
2A02:1810:A438:8E00:A054:5808:5A:8989 (talkcontribs)

This fix worked for me, thanks.

174.77.79.55 (talkcontribs)

This correction worked for me, also.

Malyacko (talkcontribs)

The problem does not still exist in 1.27. It's a different problem (likely due to AuthManager code changes) with the same message displayed.