From 87fed465e405495799ca1ab3a8eeebd9403f5566 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Tue, 29 Dec 2015 20:55:23 -0500
Subject: [PATCH] Reset wsEditToken on login

Bug: T122056
Change-Id: I03739e942b6c182ed9cbcd0d9615dcd799e8baed
---
 includes/User.php                      | 3 +++
 includes/specials/SpecialUserlogin.php | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/User.php b/includes/User.php
index 6f4ca15..d9e1d9c 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -3370,11 +3370,14 @@ class User {
 		$this->clearInstanceCache( 'defaults' );
 
 		$this->getRequest()->setSessionData( 'wsUserID', 0 );
+		$this->getRequest()->setSessionData( 'wsEditToken', null );
 
 		$this->clearCookie( 'UserID' );
 		$this->clearCookie( 'Token' );
 		$this->clearCookie( 'forceHTTPS', false, array( 'prefix' => '' ) );
 
+		wfResetSessionID();
+
 		// Remember when user logged out, to prevent seeing cached pages
 		$this->setCookie( 'LoggedOut', time(), time() + 86400 );
 	}
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index 9a2e194..d456f03 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -1435,7 +1435,8 @@ class LoginForm extends SpecialPage {
 		if ( $wgSecureLogin && !$this->mStickHTTPS ) {
 			$wgCookieSecure = false;
 		}
-
+		// Always make sure edit token is regenerated. (T114419)
+		$this->getRequest()->setSessionData( 'wsEditToken', null );
 		wfResetSessionID();
 	}
 
-- 
2.8.1