Last modified: 2012-12-24 06:26:53 UTC
This bug was discovered while working on bug 32122 (https://bugzilla.wikimedia.org/show_bug.cgi?id=32122). In order to reproduce it reliably, a developer must make the following changes to php.ini (this should *not* be done on a production machine, since the settings force the PHP garbage collector to run on every page access). - session.gc_probability = 100 - session.gc_divisor = 100 - session.gc_maxlifetime = 60 - session.save_path = <some directory writable by httpd> After making these changes restart httpd. Then execute the following: Login Immediately log out Wait more than 60 seconds. Do not change the page, stay on the "Log out" page which states: "You are now logged out. You can continue to use MW_1_16_5 anonymously ..." Login The error: "Login error There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again." is displayed. This bug appears to arise due to session management logic in MW in tandem with PHP session garbage collection. One commenter on bug 32122 suggests this is expected behavior. However, from a user's point of view that is highly unlikely. One possible solution is to destroy the session on logout. There is a PHP function, session_destroy that destroys session data, but it isn't clear whether that function actually deletes the session file. Also, it isn't clear how to delete sessions held by memcached.
I should have stipulated that when logging in DO NOT CHECK THE "REMEMBER ME" BOX.
