Reset all tokens on login1.27.0-rc.0

Bug: T122056
Change-Id: I03739e942b6c182ed9cbcd0d9615dcd799e8baed
(cherry picked from commit ca831d5f4535146dc1ddd19059d981f4deb01126)

3 files changed, 3 insertions, 0 deletions

diff --git a/includes/auth/AuthManager.php b/includes/auth/AuthManager.php
index 136ce262a76f..69f51b899f77 100644
--- a/includes/auth/AuthManager.php
+++ b/includes/auth/AuthManager.php
@@ -2288,6 +2288,7 @@ class AuthManager implements LoggerAwareInterface {
 		$delay = $session->delaySave();
 
 		$session->resetId();
+		$session->resetAllTokens();
 		if ( $session->canSetUser() ) {
 			$session->setUser( $user );
 		}
diff --git a/includes/specials/pre-authmanager/SpecialUserlogin.php b/includes/specials/pre-authmanager/SpecialUserlogin.php
index e745129427b6..8935a490bb97 100644
--- a/includes/specials/pre-authmanager/SpecialUserlogin.php
+++ b/includes/specials/pre-authmanager/SpecialUserlogin.php
@@ -1718,6 +1718,7 @@ class LoginFormPreAuthManager extends SpecialPage {
 		}
 
 		SessionManager::getGlobalSession()->resetId();
+		SessionManager::getGlobalSession()->resetAllTokens();
 	}
 
 	/**
diff --git a/includes/user/User.php b/includes/user/User.php
index 4f244b749d93..e2b80e473ce2 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3865,6 +3865,7 @@ class User implements IDBAccessObject {
 			$session->setLoggedOutTimestamp( time() );
 			$session->setUser( new User );
 			$session->set( 'wsUserID', 0 ); // Other code expects this
+			$session->resetAllTokens();
 			ScopedCallback::consume( $delay );
 		}
 	}