From a1617412fa7c9d550163d9fe9bfd6663a178d26f Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Tue, 29 Dec 2015 20:55:23 -0500
Subject: [PATCH] Reset wsEditToken on login

Bug: T122056
Change-Id: I03739e942b6c182ed9cbcd0d9615dcd799e8baed
---
 includes/User.php                      | 3 +++
 includes/specials/SpecialUserlogin.php | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/User.php b/includes/User.php
index 62d72bd..877a8f2 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -3565,11 +3565,14 @@ class User implements IDBAccessObject {
 		$this->clearInstanceCache( 'defaults' );
 
 		$this->getRequest()->setSessionData( 'wsUserID', 0 );
+		$this->getRequest()->setSessionData( 'wsEditToken', null );
 
 		$this->clearCookie( 'UserID' );
 		$this->clearCookie( 'Token' );
 		$this->clearCookie( 'forceHTTPS', false, array( 'prefix' => '' ) );
 
+		wfResetSessionID();
+
 		// Remember when user logged out, to prevent seeing cached pages
 		$this->setCookie( 'LoggedOut', time(), time() + 86400 );
 	}
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index 10edbcf..f323d8a 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -1554,7 +1554,8 @@ class LoginForm extends SpecialPage {
 		if ( $wgSecureLogin && !$this->mStickHTTPS ) {
 			$wgCookieSecure = false;
 		}
-
+		// Always make sure edit token is regenerated. (T114419)
+		$this->getRequest()->setSessionData( 'wsEditToken', null );
 		wfResetSessionID();
 	}
 
-- 
2.8.1