Nick Jenkins wrote:
I'm not 100% sure why, and it's so rare that it's _extremely_ hard to
be sure, but my working theory is that by pure random fluke two
session_id strings or two session file names/keys have clashed,
resulting in user identity getting confused.
I had that thought too, but Steve already explained why this is not the
cause.
In addition, also note that the original posting that started this
thread was talking about a block message. Blocks are per IP, not per
session token, so this falsifies your theory too.
The original report shows that for some pageviews, the system thinks
you're coming from a different IP than you really are.
My theory is that the system (either MediaWiki or the squids) mixes up
two simultaneous connections. Two people requesting a page from the same
server (or the same squid) at the same time, and both receiving the
output that was meant for the other person.
As long as such pageview mix-up is extremely rare, there is next to no
chance for anyone to exploit it maliciously, but it *is* possible, and
it becomes more possible is this happens more frequently.
By the way, I have reason to believe that PHP makes sure that session
tokens are unique when they are assigned.
Timwi