Revert r76077, r76079, they were an overreaction to a security bug that wasn't really...

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 290ec97..3e221d0 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -490,8 +490,6 @@ LocalSettings.php. The specific bugs are listed below in the general notes.
 * (bug 25741) Add more data to list=search's srprop
 * (bug 25760) counter property still reported by the API when
   $wgDisableCounters enabled
-* (bug 25793) Session IDs no longer output by action=login to protect against
-  session hijacking
 
 === Languages updated in 1.17 ===
 

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 2542306..987d046 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -87,12 +87,14 @@ class ApiLogin extends ApiBase {
                                $result['lgusername'] = $wgUser->getName();
                                $result['lgtoken'] = $wgUser->getToken();
                                $result['cookieprefix'] = $wgCookiePrefix;
+                               $result['sessionid'] = session_id();
                                break;
 
                        case LoginForm::NEED_TOKEN:
                                $result['result'] = 'NeedToken';
                                $result['token'] = $loginForm->getLoginToken();
                                $result['cookieprefix'] = $wgCookiePrefix;
+                               $result['sessionid'] = session_id();
                                break;
 
                        case LoginForm::WRONG_TOKEN: