Topic on Project:Support desk

Problem with Sessions

5 comments 06:57, 15 September 2018 5 years ago
5
Naterudd (talkcontribs)

I have just upgraded to MediaWiki 1.31 (from version 1.14). My site is password protected with Google's PHP API which saves login information in the php session. When I now log into the wiki I get the following warning: "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form." I know what the "hijacking" is because Google is saving things there. Is there anything I can comment out so that the login will continue even so? Since my site is already behind a password, I am not that concerned about maintaining mediawiki's security.

06:59, 15 August 2018 5 years ago
AhmadF.Cheema (talkcontribs)

The error might be unrelated to your customized setup, there have been more than a few changes since MediaWiki 1.14 (almost a decade ago). See Topic:T7irqyk4rhfy3ohk.

07:25, 15 August 2018 5 years ago
Naterudd (talkcontribs)

Unfortunately, I have already read that post and played with the $wgMainCacheType and $wgSessionCacheType variables. I have tried the permutations they have suggested and I still get the error. Is there something else I can try?

10:45, 15 August 2018 5 years ago
Naterudd (talkcontribs)

I have found where the condition is catching, but I don't know what to do to fix the error. In AuthManagerSpecialPage.php, line 411, there is a check to make sure the requested token matches the session token. This condition is proving false when I don't want it to. Here are the values that those variables have:

$sessionToken = object(MediaWiki\Session\Token)#300 (3) {

  ["secret":"MediaWiki\Session\Token":private]=>

  string(32) "b626c7ef5ecfb59367b8d20e7aaca39c"

  ["salt":"MediaWiki\Session\Token":private]=>

  string(0) ""

  ["new":"MediaWiki\Session\Token":private]=>

  bool(false)

}

$requestTokenValue = string(43) "d5ddecb14be41c13f0e85a8aa35b51f55b7e3e57+\\"

I have tried to comment out lines 411 and 412, and while I do get redirected to my last visited page, my user isn't logged in.

Please let me know if anything can be done.

Edited 05:06, 23 August 2018 5 years ago
Naterudd (talkcontribs)

I have traced the problem to the fact that I was escaping POST variables coming in. I have disabled that. But now, the login page goes through, but I don't end up being logged in. What would be causing that?

06:12, 24 August 2018 5 years ago
Retrieved from "https://www.mediawiki.org/wiki/Topic:Uiupx4xpgb7mbeki"