git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Brad Jorsch <bjorsch@wikimedia.org>
	Sat, 30 Jan 2016 15:54:24 +0000 (10:54 -0500)
committer	BryanDavis <bdavis@wikimedia.org>
	Sun, 31 Jan 2016 00:46:45 +0000 (00:46 +0000)
commit	4d1ad32d8acbd443346253d2f6a95024c833295c
tree	6ac922a3c38d4b1348f5b37ab9af33237440044d	tree \| snapshot
parent	95274f330d1d236fd741788a5ac86ace0e12d573	commit \| diff

Close a loophole in CookieSessionProvider

There's a crazy-small chance that someone could have a logged-out
session (e.g. by logging out or visiting a page that creates a session
despite being logged out), then the session expires, then someone else
logs in and gets the same session ID (which is about a 1 in a
quindecillion chance), then the first person comes in and picks up the
second person's session.

To avoid that, if there's no UserID cookie set (or the cookie value is
0) then indicate that the SessionInfo is for a logged-out user.

No idea if this is actually what happened in T125283, but it's worth
fixing anyway.

Bug: T125283
Change-Id: I44096c69aa7bd285e4e2472959e8d892200c5f2c

includes/session/CookieSessionProvider.php		diff \| blob \| history
tests/phpunit/includes/session/CookieSessionProviderTest.php		diff \| blob \| history