Page MenuHomePhabricator

Possibly getting logged out within the same session after inactivity
Closed, ResolvedPublic

Description

After logging into en.wikipedia.org, after some period of inactivity, I am sometimes logged out automatically.

I am using Firefox 43 with the following settings:

  • Always use private browsing mode
  • Accept cookies, but never accept third-party cookies

Event Timeline

wctaiwan created this task.Jan 29 2016, 7:10 AM
wctaiwan raised the priority of this task from to Needs Triage.
wctaiwan updated the task description. (Show Details)
wctaiwan added subscribers: wctaiwan, bd808.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 29 2016, 7:10 AM

Related excerpts from #wikimedia-operations discussion on 2016-01-29 with bot noise removed:

[05:49:10] <wctaiwan>	 I'm getting logged out within the same browser session again. It seemed to go away for a few days after the first day it happened, but it's returned.
[05:53:21] <p858snake|_>	 repeatedly? all user sessions were killed the other day for security reasons
[05:59:12] <wctaiwan>	 the session is limited to today.
[06:39:28] <bd808>	 wctaiwan: can you get us some details of the sessions this is happening on?
[06:40:08] <wctaiwan>	 what kind of details? I'm using Firefox (latest stable); I accept session cookies, but not third party ones. Cookies are not kept beyond the current session.
[06:40:43] <wctaiwan>	 Indication that it's happening is that I would be logged out, but when I go to login I'd see my username filled in, which it wouldn't be had I not been logged in (unless I'd logged out, but I generally don't bother to).
[06:42:23] <wctaiwan>	 it seems to happen after a period of inactivity? I don't recall evert being logged in and navigating to another page to find that I'd been logged out. But I'm not 100% sure that's not a coincidence.
[06:43:02] <bd808>	 are you moving across wikis? Logging in to a particular wiki?
[06:43:46] <bd808>	 we are having some vaguely similar reports here -- https://phabricator.wikimedia.org/T124252#1979688
[06:43:48] <wctaiwan>	 hmm, that's a good point, actually. I might have logged in on meta and not enwiki. In which case it's PEBKAC.
[06:43:54] <bd808>	 but no actionable details yet
[06:44:51] <wctaiwan>	 okay, I think that's unlikely, since the username wouldn't be pre-filled on enwiki if I logged in on meta (I just tested).
[06:45:15] <bd808>	 logging in on meta and then being logged in on enwiki should generally work for sure
[06:45:54] <bd808>	 assuming that you got all the interactions with loginwiki either via the 3rd party cookie + javascript or by the 1x1 images
[06:46:01] <wctaiwan>	 well, not for me, since meta wouldn't be able to set a cookie for *.wikipedia.org
[06:46:11] <wctaiwan>	 yeah, I wouldn't have, because I block third-party cookies.
[06:46:37] <bd808>	 right. that's the scenario that the images are meant to work with
[06:46:51] <bd808>	 I block 3rd party cookies too
[06:46:57] <wctaiwan>	 I think Firefox catches those. Otherwise it'd be trivial to work around its tracking protection.
[06:47:37] <bd808>	 wctaiwan: are you running incognito too?
[06:47:41] <wctaiwan>	 yes.
[06:47:50] <wctaiwan>	 http://i.imgur.com/8pZHgIS.png are my privacy settings in firefox
[06:47:56] <bd808>	 ah. that may certainly play into this
[06:48:45] <wctaiwan>	 Yeah, it could be related. But this is difficult to pin down because steps for reproduction would be "log in, stop looking at wikipedia, and wait for a few hours and then remember to check"
[06:49:01] <wctaiwan>	 I'm not even sure at this point I'm just logging out and forgetting I did.
[06:49:21] <wctaiwan>	 s/I'm just/if I'm not just/
[06:49:59] <bd808>	 wctaiwan: I think it's worth filing a bug about with the description you have given thus far
[06:50:20] <wctaiwan>	 sure, I can do that. Anything I should look for next time I suspect it's happening?
[06:51:17] <bd808>	 getting the cookies that you have on when you suspect you've been logged out would be good. Having the cookies form before that as well would be even better
[06:51:54] <bd808>	 s/form/from/
[06:52:39] <wctaiwan>	 Hmm, I don't think Firefox shows any cookies when you're using private browsing :/
[06:54:38] <bd808>	 they should show in the developer tools
[06:55:00] <wctaiwan>	 nope
[06:55:00] <wctaiwan>	 https://bugzilla.mozilla.org/show_bug.cgi?id=823941
[06:56:19] <wctaiwan>	 anyway, I'll file the bug. Thanks.
[06:56:29] <bd808>	 wctaiwan: I'm looking at cookies attached to a GET of enwiki in an incognito FF 44 sesion right now
[06:56:57] <wctaiwan>	 ohh
[06:57:03] <wctaiwan>	 I was looking in the storage tab
[06:57:35] <wctaiwan>	 okay, I'll try to get that then.
[06:57:57] <bd808>	 cool. thanks for reporting and being willing to help debug a bit
[06:58:09] <wctaiwan>	 np. thanks for looking into it.
[06:58:32] <bd808>	 wctaiwan: please cc me on the bug you file
[06:58:37] <wctaiwan>	 will do

Possibly related to reports of bots being non-deterministicly logged out on T124252#1979688

Anomie added a subscriber: Anomie.EditedJan 29 2016, 5:10 PM

I note that being completely inactive for 30–60 minutes[1] will result in your session expiring, and if you didn't check the "remember me" checkbox that will cause you to be logged out. Note the username would still be filled in even without "remember me" checked. But that's how it has always worked, IIRC.

Another possibility is that something weird is happening to your cookies; if you can check that the proper cookies are still being sent after inactivity that would be helpful.

And, of course, logging out on any device will log you out everywhere (see T51890).

[1]: The session expires from memc 60 minutes after being saved. But to reduce load on memc it's only re-saved if something in the session data actually changes or if it's going to expire in less than 30 minutes, simply accessing pages won't re-save it otherwise.

I note that being completely inactive for 30–60 minutes[1] will result in your session expiring, and if you didn't check the "remember me" checkbox that will cause you to be logged out. Note the username would still be filled in even without "remember me" checked. But that's how it has always worked, IIRC.

This seems to be it, but I don't think it's worked this way until this week or so (I've used the same browser setup for months and have never noticed myself being logged out). Did the default for the "remember me" checkbox change?

I'll trace the cookies received/sent and report back, just in case something weird is going on.

It does seem like the browser correctly sent all the cookies that were set.

Cookies set by https://en.wikipedia.org/w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main+Page

enwikiSession=AAAA; path=/; secure; httponly
enwikiUserID=241387; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly
enwikiUserName=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly
forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
forceHTTPS=true; path=/; domain=.wikipedia.org; httponly
centralauth_User=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; domain=.wikipedia.org; secure; httponly
centralauth_Session=BBBB; path=/; domain=.wikipedia.org; secure; httponly
enwikiSession=CCCC; path=/; secure; httponly
centralauth_Session=DDDD; path=/; domain=.wikipedia.org; secure; httponly

Cookies set by https://login.wikimedia.org/wiki/Special:CentralLogin/start

loginwikiSession=EEEE; path=/; secure; httponly
loginwikiUserID=6438; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly
loginwikiUserName=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly
forceHTTPS=true; path=/; httponly
centralauth_User=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly
centralauth_Session=HHHH; path=/; secure; httponly
CP=H2; Path=/
WMF-Last-Access=29-Jan-2016;Path=/;HttpOnly;Expires=Tue, 01 Mar 2016 12:00:00 GMT
GeoIP=<redacted>; Path=/; Domain=.wikimedia.org

Cookies set by https://en.wikipedia.org/wiki/Special:CentralLogin/complete

enwikiSession=CCCC; path=/; secure; httponly
enwikiUserID=241387; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly
enwikiUserName=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly
forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
forceHTTPS=true; path=/; domain=.wikipedia.org; httponly
centralauth_User=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; domain=.wikipedia.org; secure; httponly
centralauth_Session=HHHH; path=/; domain=.wikipedia.org; secure; httponly

Cookies sent when visiting https://en.wikipedia.org/wiki/Main_Page after inactivity:

CP=H2
WMF-Last-Access=29-Jan-2016
GeoIP=<redacted>
enwikimwuser-sessionId=GGGG
enwikiSession=CCCC
enwikiUserID=241387
enwikiUserName=Wctaiwan
forceHTTPS=true
centralauth_User=Wctaiwan
centralauth_Session=HHHH

[WILD SPECULATION] A possible cause is that the SessionManager work which is included in 1.27.0-wmf.11 cleaned up and consolidated all of the session handling code. It is quite possible that in the past we were issuing unnecessary session writes to the backend previously which kept sessions from expiring from the backing cache due to inactivity.

Anomie closed this task as Resolved.Jan 30 2016, 1:44 AM
Anomie claimed this task.

It looks like this was caused by T125267: ~3000% increase in session redis memory usage, causing evictions and session loss. It should hopefully be fixed now. Feel free to reopen if it continues to occur.

Thanks for your help, @wctaiwan!