From c90edcba93094163cd3be1935527339b93f3a627 Mon Sep 17 00:00:00 2001
From: Andrew H <crazy4sb@gmail.com>
Date: Mon, 21 Dec 2015 21:16:01 +0000
Subject: [PATCH] SECURITY: Remove tokens from session when the user logs out

Bug: T122056
Change-Id: Ica0519d18171feeb359bbbe59c37b38e16cbdafd
---
 includes/user/User.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/includes/user/User.php b/includes/user/User.php
index fed9664..8098332 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3656,6 +3656,7 @@ class User implements IDBAccessObject {
 		$this->clearInstanceCache( 'defaults' );
 
 		$this->getRequest()->setSessionData( 'wsUserID', 0 );
+		$this->getRequest()->setSessionData( 'wsEditToken', '' );
 
 		$this->clearCookie( 'UserID' );
 		$this->clearCookie( 'Token' );
-- 
1.9.1