From 696672034b4e78e48dfa4c794fe27acfeefc68e6 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 15 Jan 2016 14:20:11 -0500
Subject: [PATCH] SECURITY: Reset tokens on login/logout, and reset session on
 logout and API login

Bug: T122056
Change-Id: Icc5e549cd3e3aab4e2b9d63a84315a36643abc20
---
 includes/api/ApiLogin.php              | 3 +++
 includes/specials/SpecialUserlogin.php | 5 ++++-
 includes/user/User.php                 | 2 ++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 0704eb8..8fcc1f8 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -132,6 +132,9 @@ class ApiLogin extends ApiBase {
 				$this->getContext()->setUser( $user );
 				$user->setCookies( $this->getRequest(), null, true );
 
+				$session->resetAllTokens();
+				$session->resetId();
+
 				ApiQueryInfo::resetTokenCache();
 
 				// Run hooks.
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index b3357ae..2794b4e 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -1635,7 +1635,10 @@ class LoginForm extends SpecialPage {
 			$wgCookieSecure = false;
 		}
 
-		MediaWiki\Session\SessionManager::getGlobalSession()->resetId();
+		// Always make sure edit token is regenerated. (T114419)
+		$session = MediaWiki\Session\SessionManager::getGlobalSession();
+		$session->resetAllTokens();
+		$session->resetId();
 	}
 
 	/**
diff --git a/includes/user/User.php b/includes/user/User.php
index 62e1ab6..19d3b56 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3607,6 +3607,8 @@ class User implements IDBAccessObject {
 			$session->setLoggedOutTimestamp( time() );
 			$session->setUser( new User );
 			$session->set( 'wsUserID', 0 ); // Other code expects this
+			$session->resetAllTokens();
+			$session->resetId();
 			ScopedCallback::consume( $delay );
 		}
 	}
-- 
2.7.0.rc3