From ca831d5f4535146dc1ddd19059d981f4deb01126 Mon Sep 17 00:00:00 2001
From: Chad Horohoe <chadh@wikimedia.org>
Date: Tue, 31 May 2016 12:20:05 -0700
Subject: [PATCH] Reset all tokens on login

Bug: T122056
Change-Id: I03739e942b6c182ed9cbcd0d9615dcd799e8baed
---
 includes/auth/AuthManager.php                          | 1 +
 includes/specials/pre-authmanager/SpecialUserlogin.php | 1 +
 includes/user/User.php                                 | 1 +
 3 files changed, 3 insertions(+)

diff --git a/includes/auth/AuthManager.php b/includes/auth/AuthManager.php
index 136ce262a7..69f51b899f 100644
--- a/includes/auth/AuthManager.php
+++ b/includes/auth/AuthManager.php
@@ -2288,6 +2288,7 @@ class AuthManager implements LoggerAwareInterface {
 		$delay = $session->delaySave();
 
 		$session->resetId();
+		$session->resetAllTokens();
 		if ( $session->canSetUser() ) {
 			$session->setUser( $user );
 		}
diff --git a/includes/specials/pre-authmanager/SpecialUserlogin.php b/includes/specials/pre-authmanager/SpecialUserlogin.php
index e745129427..8935a490bb 100644
--- a/includes/specials/pre-authmanager/SpecialUserlogin.php
+++ b/includes/specials/pre-authmanager/SpecialUserlogin.php
@@ -1718,6 +1718,7 @@ class LoginFormPreAuthManager extends SpecialPage {
 		}
 
 		SessionManager::getGlobalSession()->resetId();
+		SessionManager::getGlobalSession()->resetAllTokens();
 	}
 
 	/**
diff --git a/includes/user/User.php b/includes/user/User.php
index 70adc32d22..ff3171ef20 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3904,6 +3904,7 @@ class User implements IDBAccessObject {
 			$session->setLoggedOutTimestamp( time() );
 			$session->setUser( new User );
 			$session->set( 'wsUserID', 0 ); // Other code expects this
+			$session->resetAllTokens();
 			ScopedCallback::consume( $delay );
 			$error = false;
 		}
-- 
2.20.1