Reset all tokens on login

Bug: T122056
Change-Id: I03739e942b6c182ed9cbcd0d9615dcd799e8baed

diff --git a/includes/auth/AuthManager.php b/includes/auth/AuthManager.php
index 136ce26..69f51b8 100644 (file)
--- a/includes/auth/AuthManager.php
+++ b/includes/auth/AuthManager.php
@@ -2288,6 +2288,7 @@ class AuthManager implements LoggerAwareInterface {
                $delay = $session->delaySave();
 
                $session->resetId();
+               $session->resetAllTokens();
                if ( $session->canSetUser() ) {
                        $session->setUser( $user );
                }

diff --git a/includes/specials/pre-authmanager/SpecialUserlogin.php b/includes/specials/pre-authmanager/SpecialUserlogin.php
index e745129..8935a49 100644 (file)
--- a/includes/specials/pre-authmanager/SpecialUserlogin.php
+++ b/includes/specials/pre-authmanager/SpecialUserlogin.php
@@ -1718,6 +1718,7 @@ class LoginFormPreAuthManager extends SpecialPage {
                }
 
                SessionManager::getGlobalSession()->resetId();
+               SessionManager::getGlobalSession()->resetAllTokens();
        }
 
        /**

diff --git a/includes/user/User.php b/includes/user/User.php
index 70adc32..ff3171e 100644 (file)
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3904,6 +3904,7 @@ class User implements IDBAccessObject {
                        $session->setLoggedOutTimestamp( time() );
                        $session->setUser( new User );
                        $session->set( 'wsUserID', 0 ); // Other code expects this
+                       $session->resetAllTokens();
                        ScopedCallback::consume( $delay );
                        $error = false;
                }