Page MenuHomePhabricator
Create Task
Maniphest T126069

Collect information about session pollution during the previous SessionManager rollouts
Closed, ResolvedPublic
Actions

Description

During the last SessionManager rollout attempt (January 26 to 30) there were two reports of users being logged into the wrong account (i.e. they logged in, or were already logged in, as User:Abc, but suddenly the wiki software recognized them as User:Xyz). That is tracked in T125283 (which is non-public because it contains some login details) and (most of) the response to it is tracked in T124440; this task is to have a public place to collect more information about which users were affected.

If you have information about that happening (most likely between January 26 to 30, but if you have heard of it happening at any time in the last few weeks, please report it), please submit it here (or if you want to include private information, open a new task, select "Security: Software security issue", and mention the task number here). Helpful details:

  • time (hour or minute is extra helpful if available)
  • user account that the user should have been logged into, user account they actually logged into
  • wiki where it happened
  • was this the result of a manual login, or did becoming a different user "just happen"
  • did this happen after visiting a wiki that the user has not visited for a while (weeks)
  • what browser was used

Related Objects
Search...

Event Timeline

Tgr created this task.Feb 5 2016, 9:25 PM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 5 2016, 9:25 PM
Tgr added a project: Reading-Infrastructure-Team-Old (Don't use).Feb 5 2016, 9:25 PM
Tgr updated the task description. (Show Details)Feb 5 2016, 9:42 PM
Tgr set Security to None.
Tgr updated the task description. (Show Details)Feb 5 2016, 9:50 PM
Tgr updated the task description. (Show Details)Feb 5 2016, 10:17 PM
Johan mentioned this in T126074: Collect information about session pollution during the previous SessionManager rollouts from non-English wikis.Feb 5 2016, 10:20 PM
Tgr added a comment.Feb 5 2016, 11:52 PM

Notified wikitech-ambassadors, enwiki, Commons, meta.
Krenair subscribed.Feb 6 2016, 12:12 AM
Johan subscribed.Feb 6 2016, 12:27 AM

There's a translatable page here so we can reach more users:
https://meta.wikimedia.org/wiki/User:Johan_(WMF)/Session_pollution
Liuxinyu970226 subscribed.Feb 6 2016, 2:05 AM
MZMcBride subscribed.Feb 6 2016, 5:09 AM
Jay8g subscribed.Feb 6 2016, 5:32 AM
Stryn subscribed.Feb 6 2016, 7:21 AM
Multichill subscribed.Feb 6 2016, 9:25 AM

T124224 might be related and contain more information, but that was using OATH.
Glaisher subscribed.Feb 6 2016, 11:18 AM
bd808 subscribed.Feb 6 2016, 4:53 PM
In T126069#2005148, @Multichill wrote:

T124224 might be related and contain more information, but that was using OATH.

The OAuth bug had similar results but had a well known and now patched cause. See T124224#1949900 for details.
Anomie subscribed.Feb 6 2016, 4:57 PM
Johan added a comment.Feb 8 2016, 11:09 AM

We've reached out in another dozen languages as well, listed in T126074.
IKhitron subscribed.Feb 8 2016, 11:10 AM

Here you are: T120988.
Elitre subscribed.Feb 8 2016, 11:11 AM
Anomie added a comment.Feb 8 2016, 2:22 PM
In T126069#2007502, @IKhitron wrote:

Here you are: T120988.

That's completely unrelated. Among other things, it's well outside the January 26 to 30 date range being discussed here and it's with a tool on Tool Labs rather than on-wiki.
Ltrlg subscribed.Feb 8 2016, 3:16 PM
bd808 added a parent task: T123451: Deploy SessionManager and bot passwords.Feb 8 2016, 8:45 PM
Arkanosis subscribed.Feb 8 2016, 9:24 PM
Teles subscribed.Feb 8 2016, 10:17 PM
Tgr added a comment.Feb 9 2016, 3:12 AM

Sherry spotted this. I don't think the timestamp matches with the train, though, and as the comment notes, it might have been a simple accident.
Tgr mentioned this in T124440: Invalidate all users sessions.Feb 9 2016, 4:25 AM
Moushira added a project: Readers-Community-Engagement.Feb 9 2016, 8:35 AM
Moushira moved this task from ToDo to On The Radar on the Readers-Community-Engagement board.
Anomie added a comment.Feb 9 2016, 3:43 PM
In T126069#2010617, @Tgr wrote:

Sherry spotted this. I don't think the timestamp matches with the train, though, and as the comment notes, it might have been a simple accident.

Is that the wrong diff? I see nothing about that that suggests session issues.
Tgr added a comment.Feb 9 2016, 4:00 PM

Sorry. this is the correct link.
Anomie added a comment.Feb 9 2016, 4:08 PM
In T126069#2011652, @Tgr wrote:

Sorry. this is the correct link.

After checking log data, it looks to me like the "accidentally clicked a rollback link" explanation suggested in that discussion is probably correct.
Johan added a comment.Feb 9 2016, 4:12 PM

And it happens regularly, after all, and every now and then we're bound to not notice having done so.
Johan added a project: Liaisons-February-2016.Feb 9 2016, 4:12 PM
Trizek-WMF subscribed.Feb 9 2016, 4:50 PM

May be related: a user on fr.wp got a notification for a new message on Flow as he was not logged-in.

Original message (hidden) + the following discussion
Anomie added a comment.Feb 9 2016, 5:16 PM
In T126069#2011791, @Trizek-WMF wrote:

May be related: a user on fr.wp got a notification for a new message on Flow as he was not logged-in.

Considering that whole topic that the user reported receiving a notification for occurred while SessionManager was not deployed, it seems unlikely to be related. It might have just been that La femme de menage had H4stings's talk page watched (I see that La femme de menage has commented on H4stings's pre-Flow talk page), which I believe causes Flow to send a notification for each new topic posted to the corresponding Flow board.
Trizek-WMF added a comment.Feb 9 2016, 5:33 PM
In T126069#2011850, @Anomie wrote:

It might have just been that La femme de menage had H4stings's talk page watched (I see that La femme de menage has commented on H4stings's pre-Flow talk page), which I believe causes Flow to send a notification for each new topic posted to the corresponding Flow board.

I share your analysis. La femme de ménage may have been disconnected while posting.
I've preferred to report it just in case. Thanks!
Johan moved this task from Backlog to Doing on the Liaisons-February-2016 board.Feb 11 2016, 3:08 PM
Jbribeiro1 awarded a token.Feb 15 2016, 1:54 AM
Jbribeiro1 subscribed.
Tgr mentioned this in T125283: Users occasionally logged in as different users after SessionManager deployment.Feb 17 2016, 6:53 PM
TheDJ subscribed.Feb 23 2016, 7:39 AM

Okay, this is really weird, but I'm actually User:FallingGravity. Somehow I logged into this account when I opened my laptop, even though I never typed in the username and I don't have any clue what the password is (I checked and it's not the same as my actual password). Apparently this account used to be active on the Chinese Wikipedia. Anybody have any clue how this happened? Should I be worried about my account? Actually I think I'll just go ahead and change my user password just in case. 023yangbo (talk) 06:34, 23 February 2016 (UTC)

https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&oldid=706427261#I_opened_Wikipedia_and_somehow_I_was_logged_in_to_this_account
Tgr mentioned this in T125455: Track ip addresses associated with a session and log when anomalous.Feb 23 2016, 11:13 AM
Tgr closed this task as Resolved.Mar 4 2016, 2:00 AM
Tgr claimed this task.

No reports in a while and we are not actively doing anything about it (and preventative measures have been taken, based on some fairly speculative guesses of what the cause might be), so we can call this done.
Liuxinyu970226 unsubscribed.Mar 4 2016, 2:55 PM
Fjalapeno edited projects, added Product-Infrastructure-Team-Backlog-Deprecated; removed Reading-Infrastructure-Team-Old (Don't use).Jun 7 2017, 2:56 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL