From 79b4e0fdd86aec4226743f79faf65195d5ad2268 Mon Sep 17 00:00:00 2001
From: Roan Kattouw <catrope@users.mediawiki.org>
Date: Fri, 5 Nov 2010 11:54:35 +0000
Subject: [PATCH] Revert r76077, r76079, they were an overreaction to a
 security bug that wasn't really a security issue at all. The API will
 currently echo your session cookie back at you, but an attacker can only read
 that output using same-domain AJAX, and if they can do that they can do worse
 things (and steal the user's session in easier ways).

---
 RELEASE-NOTES             | 2 --
 includes/api/ApiLogin.php | 2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 290ec97b34..3e221d075a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -490,8 +490,6 @@ LocalSettings.php. The specific bugs are listed below in the general notes.
 * (bug 25741) Add more data to list=search's srprop
 * (bug 25760) counter property still reported by the API when
   $wgDisableCounters enabled
-* (bug 25793) Session IDs no longer output by action=login to protect against
-  session hijacking
 
 === Languages updated in 1.17 ===
 
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 25423063c6..987d0468ee 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -87,12 +87,14 @@ class ApiLogin extends ApiBase {
 				$result['lgusername'] = $wgUser->getName();
 				$result['lgtoken'] = $wgUser->getToken();
 				$result['cookieprefix'] = $wgCookiePrefix;
+				$result['sessionid'] = session_id();
 				break;
 
 			case LoginForm::NEED_TOKEN:
 				$result['result'] = 'NeedToken';
 				$result['token'] = $loginForm->getLoginToken();
 				$result['cookieprefix'] = $wgCookiePrefix;
+				$result['sessionid'] = session_id();
 				break;
 
 			case LoginForm::WRONG_TOKEN:
-- 
2.20.1