Last modified: 2014-10-21 14:02:44 UTC
The help for action=login says "Log in and get the authentication tokens. In the event of a successful log-in, a cookie will be attached to your session. ..." In fact, the first API result contains ONE token, and then if you provide this token and login is successful, you get a sessionid back in the API response, and the HTTP response header sets three cookies: <cookieprefix>UserID <cookieprefix>UserName <cookieprefix>Token, set to the sessionid in the API result these all expire in a month, none is a session cookie. A better description for includes/api/ApiLogin.php might be Log in and get sessionid and browser cookies. A successful login returns a session ID and its HTTP response header sets wiki cookies identifying the user. ... Even this might vary with wiki configuration.
It's not like the client can reliably do anything useful with the returned session ID, since $wgSessionName isn't indicated and CentralAuth changes things too. It's probably better to just say that the needed cookies are returned in the HTTP response and leave details for https://www.mediawiki.org/wiki/API:Login.
Change 162960 had a related patch set uploaded by Anomie: API: Internationalize all remaining core API modules https://gerrit.wikimedia.org/r/162960
Change 162960 merged by jenkins-bot: API: Internationalize all remaining core API modules https://gerrit.wikimedia.org/r/162960
