From def196d1376d832236dd1b70e9bcbac9c004fd81 Mon Sep 17 00:00:00 2001
From: Roan Kattouw <catrope@users.mediawiki.org>
Date: Fri, 5 Nov 2010 11:42:41 +0000
Subject: [PATCH] (bug 25793) Don't output the session ID over HTTP, allows
 session hijacking because logins that failed because no token was specified
 would output the session ID

---
 includes/api/ApiLogin.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 987d0468ee..25423063c6 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -87,14 +87,12 @@ class ApiLogin extends ApiBase {
 				$result['lgusername'] = $wgUser->getName();
 				$result['lgtoken'] = $wgUser->getToken();
 				$result['cookieprefix'] = $wgCookiePrefix;
-				$result['sessionid'] = session_id();
 				break;
 
 			case LoginForm::NEED_TOKEN:
 				$result['result'] = 'NeedToken';
 				$result['token'] = $loginForm->getLoginToken();
 				$result['cookieprefix'] = $wgCookiePrefix;
-				$result['sessionid'] = session_id();
 				break;
 
 			case LoginForm::WRONG_TOKEN:
-- 
2.20.1