}
if ( isset( $session['wsToken'] ) && $session['wsToken'] ) {
+ // @todo Why does this directly mess with the session? Fix that.
// add edit token to fake session
$session['wsEditToken'] = $session['wsToken'];
// add token to request parameters
- $params['token'] = md5( $session['wsToken'] ) . User::EDIT_TOKEN_SUFFIX;
+ $timestamp = wfTimestamp();
+ $params['token'] = hash_hmac( 'md5', $timestamp, $session['wsToken'] ) .
+ dechex( $timestamp ) .
+ User::EDIT_TOKEN_SUFFIX;
return $this->doApiRequest( $params, $session, false, $user );
} else {