From: Roan Kattouw <catrope@users.mediawiki.org>
Date: Fri, 5 Nov 2010 11:54:35 +0000 (+0000)
Subject: Revert r76077, r76079, they were an overreaction to a security bug that wasn't really... 
X-Git-Tag: 1.31.0-rc.0~34081
X-Git-Url: http://git.cyclocoop.org/%24href?a=commitdiff_plain;h=79b4e0fdd86aec4226743f79faf65195d5ad2268;p=lhc%2Fweb%2Fwiklou.git

Revert r76077, r76079, they were an overreaction to a security bug that wasn't really a security issue at all. The API will currently echo your session cookie back at you, but an attacker can only read that output using same-domain AJAX, and if they can do that they can do worse things (and steal the user's session in easier ways).
---

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 290ec97b34..3e221d075a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -490,8 +490,6 @@ LocalSettings.php. The specific bugs are listed below in the general notes.
 * (bug 25741) Add more data to list=search's srprop
 * (bug 25760) counter property still reported by the API when
   $wgDisableCounters enabled
-* (bug 25793) Session IDs no longer output by action=login to protect against
-  session hijacking
 
 === Languages updated in 1.17 ===
 
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 25423063c6..987d0468ee 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -87,12 +87,14 @@ class ApiLogin extends ApiBase {
 				$result['lgusername'] = $wgUser->getName();
 				$result['lgtoken'] = $wgUser->getToken();
 				$result['cookieprefix'] = $wgCookiePrefix;
+				$result['sessionid'] = session_id();
 				break;
 
 			case LoginForm::NEED_TOKEN:
 				$result['result'] = 'NeedToken';
 				$result['token'] = $loginForm->getLoginToken();
 				$result['cookieprefix'] = $wgCookiePrefix;
+				$result['sessionid'] = session_id();
 				break;
 
 			case LoginForm::WRONG_TOKEN: