From: Roan Kattouw <catrope@users.mediawiki.org>
Date: Fri, 5 Nov 2010 11:42:41 +0000 (+0000)
Subject: (bug 25793) Don't output the session ID over HTTP, allows session hijacking because... 
X-Git-Tag: 1.31.0-rc.0~34083
X-Git-Url: http://git.cyclocoop.org//%27%40script%40/%27?a=commitdiff_plain;h=def196d1376d832236dd1b70e9bcbac9c004fd81;p=lhc%2Fweb%2Fwiklou.git

(bug 25793) Don't output the session ID over HTTP, allows session hijacking because logins that failed because no token was specified would output the session ID
---

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 987d0468ee..25423063c6 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -87,14 +87,12 @@ class ApiLogin extends ApiBase {
 				$result['lgusername'] = $wgUser->getName();
 				$result['lgtoken'] = $wgUser->getToken();
 				$result['cookieprefix'] = $wgCookiePrefix;
-				$result['sessionid'] = session_id();
 				break;
 
 			case LoginForm::NEED_TOKEN:
 				$result['result'] = 'NeedToken';
 				$result['token'] = $loginForm->getLoginToken();
 				$result['cookieprefix'] = $wgCookiePrefix;
-				$result['sessionid'] = session_id();
 				break;
 
 			case LoginForm::WRONG_TOKEN: