After logging into en.wikipedia.org, after some period of inactivity, I am sometimes logged out automatically.
I am using Firefox 43 with the following settings:
- Always use private browsing mode
- Accept cookies, but never accept third-party cookies
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Deskana | T75616 Tracking: API/backend issues blocking Wikipedia app development | |||
| Resolved | Anomie | T32788 Allow triggering of user password reset email via the API | |||
| Open | None | T90925 General authentication improvements for MediaWiki | |||
| Resolved | Anomie | T48179 Allow a challenge stage during authentication | |||
| Open | None | T5709 Refactoring to make external authentication and identity systems easier | |||
| Resolved | Tgr | T43201 UserLoadFromSession considered evil | |||
| Resolved | Anomie | T67493 Session is started by EditAction (problem for extensions using UserLoadFromSession hook) | |||
| Open | Feature | None | T55156 Provide option to force a login session to end within a certain time | ||
| Open | None | T89459 Modernize MediaWiki authentication system (AuthManager) | |||
| Resolved | Anomie | T123451 Deploy SessionManager and bot passwords | |||
| Resolved | Anomie | T125194 Possibly getting logged out within the same session after inactivity |
Event Timeline
Comment Actions
Related excerpts from #wikimedia-operations discussion on 2016-01-29 with bot noise removed:
[05:49:10] <wctaiwan> I'm getting logged out within the same browser session again. It seemed to go away for a few days after the first day it happened, but it's returned. [05:53:21] <p858snake|_> repeatedly? all user sessions were killed the other day for security reasons [05:59:12] <wctaiwan> the session is limited to today. [06:39:28] <bd808> wctaiwan: can you get us some details of the sessions this is happening on? [06:40:08] <wctaiwan> what kind of details? I'm using Firefox (latest stable); I accept session cookies, but not third party ones. Cookies are not kept beyond the current session. [06:40:43] <wctaiwan> Indication that it's happening is that I would be logged out, but when I go to login I'd see my username filled in, which it wouldn't be had I not been logged in (unless I'd logged out, but I generally don't bother to). [06:42:23] <wctaiwan> it seems to happen after a period of inactivity? I don't recall evert being logged in and navigating to another page to find that I'd been logged out. But I'm not 100% sure that's not a coincidence. [06:43:02] <bd808> are you moving across wikis? Logging in to a particular wiki? [06:43:46] <bd808> we are having some vaguely similar reports here -- https://phabricator.wikimedia.org/T124252#1979688 [06:43:48] <wctaiwan> hmm, that's a good point, actually. I might have logged in on meta and not enwiki. In which case it's PEBKAC. [06:43:54] <bd808> but no actionable details yet [06:44:51] <wctaiwan> okay, I think that's unlikely, since the username wouldn't be pre-filled on enwiki if I logged in on meta (I just tested). [06:45:15] <bd808> logging in on meta and then being logged in on enwiki should generally work for sure [06:45:54] <bd808> assuming that you got all the interactions with loginwiki either via the 3rd party cookie + javascript or by the 1x1 images [06:46:01] <wctaiwan> well, not for me, since meta wouldn't be able to set a cookie for *.wikipedia.org [06:46:11] <wctaiwan> yeah, I wouldn't have, because I block third-party cookies. [06:46:37] <bd808> right. that's the scenario that the images are meant to work with [06:46:51] <bd808> I block 3rd party cookies too [06:46:57] <wctaiwan> I think Firefox catches those. Otherwise it'd be trivial to work around its tracking protection. [06:47:37] <bd808> wctaiwan: are you running incognito too? [06:47:41] <wctaiwan> yes. [06:47:50] <wctaiwan> http://i.imgur.com/8pZHgIS.png are my privacy settings in firefox [06:47:56] <bd808> ah. that may certainly play into this [06:48:45] <wctaiwan> Yeah, it could be related. But this is difficult to pin down because steps for reproduction would be "log in, stop looking at wikipedia, and wait for a few hours and then remember to check" [06:49:01] <wctaiwan> I'm not even sure at this point I'm just logging out and forgetting I did. [06:49:21] <wctaiwan> s/I'm just/if I'm not just/ [06:49:59] <bd808> wctaiwan: I think it's worth filing a bug about with the description you have given thus far [06:50:20] <wctaiwan> sure, I can do that. Anything I should look for next time I suspect it's happening? [06:51:17] <bd808> getting the cookies that you have on when you suspect you've been logged out would be good. Having the cookies form before that as well would be even better [06:51:54] <bd808> s/form/from/ [06:52:39] <wctaiwan> Hmm, I don't think Firefox shows any cookies when you're using private browsing :/ [06:54:38] <bd808> they should show in the developer tools [06:55:00] <wctaiwan> nope [06:55:00] <wctaiwan> https://bugzilla.mozilla.org/show_bug.cgi?id=823941 [06:56:19] <wctaiwan> anyway, I'll file the bug. Thanks. [06:56:29] <bd808> wctaiwan: I'm looking at cookies attached to a GET of enwiki in an incognito FF 44 sesion right now [06:56:57] <wctaiwan> ohh [06:57:03] <wctaiwan> I was looking in the storage tab [06:57:35] <wctaiwan> okay, I'll try to get that then. [06:57:57] <bd808> cool. thanks for reporting and being willing to help debug a bit [06:58:09] <wctaiwan> np. thanks for looking into it. [06:58:32] <bd808> wctaiwan: please cc me on the bug you file [06:58:37] <wctaiwan> will do
Possibly related to reports of bots being non-deterministicly logged out on T124252#1979688
Comment Actions
I note that being completely inactive for 30–60 minutes[1] will result in your session expiring, and if you didn't check the "remember me" checkbox that will cause you to be logged out. Note the username would still be filled in even without "remember me" checked. But that's how it has always worked, IIRC.
Another possibility is that something weird is happening to your cookies; if you can check that the proper cookies are still being sent after inactivity that would be helpful.
And, of course, logging out on any device will log you out everywhere (see T51890).
[1]: The session expires from memc 60 minutes after being saved. But to reduce load on memc it's only re-saved if something in the session data actually changes or if it's going to expire in less than 30 minutes, simply accessing pages won't re-save it otherwise.
Comment Actions
This seems to be it, but I don't think it's worked this way until this week or so (I've used the same browser setup for months and have never noticed myself being logged out). Did the default for the "remember me" checkbox change?
I'll trace the cookies received/sent and report back, just in case something weird is going on.
Comment Actions
It does seem like the browser correctly sent all the cookies that were set.
Cookies set by https://en.wikipedia.org/w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main+Page
enwikiSession=AAAA; path=/; secure; httponly enwikiUserID=241387; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly enwikiUserName=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly forceHTTPS=true; path=/; domain=.wikipedia.org; httponly centralauth_User=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; domain=.wikipedia.org; secure; httponly centralauth_Session=BBBB; path=/; domain=.wikipedia.org; secure; httponly enwikiSession=CCCC; path=/; secure; httponly centralauth_Session=DDDD; path=/; domain=.wikipedia.org; secure; httponly
Cookies set by https://login.wikimedia.org/wiki/Special:CentralLogin/start
loginwikiSession=EEEE; path=/; secure; httponly loginwikiUserID=6438; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly loginwikiUserName=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly forceHTTPS=true; path=/; httponly centralauth_User=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly centralauth_Session=HHHH; path=/; secure; httponly CP=H2; Path=/ WMF-Last-Access=29-Jan-2016;Path=/;HttpOnly;Expires=Tue, 01 Mar 2016 12:00:00 GMT GeoIP=<redacted>; Path=/; Domain=.wikimedia.org
Cookies set by https://en.wikipedia.org/wiki/Special:CentralLogin/complete
enwikiSession=CCCC; path=/; secure; httponly enwikiUserID=241387; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly enwikiUserName=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; secure; httponly forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly forceHTTPS=true; path=/; domain=.wikipedia.org; httponly centralauth_User=Wctaiwan; expires=Sun, 28-Feb-2016 17:32:01 GMT; Max-Age=2592000; path=/; domain=.wikipedia.org; secure; httponly centralauth_Session=HHHH; path=/; domain=.wikipedia.org; secure; httponly
Cookies sent when visiting https://en.wikipedia.org/wiki/Main_Page after inactivity:
CP=H2 WMF-Last-Access=29-Jan-2016 GeoIP=<redacted> enwikimwuser-sessionId=GGGG enwikiSession=CCCC enwikiUserID=241387 enwikiUserName=Wctaiwan forceHTTPS=true centralauth_User=Wctaiwan centralauth_Session=HHHH
Comment Actions
[WILD SPECULATION] A possible cause is that the SessionManager work which is included in 1.27.0-wmf.11 cleaned up and consolidated all of the session handling code. It is quite possible that in the past we were issuing unnecessary session writes to the backend previously which kept sessions from expiring from the backing cache due to inactivity.
Comment Actions
It looks like this was caused by T125267: ~3000% increase in session redis memory usage, causing evictions and session loss. It should hopefully be fixed now. Feel free to reopen if it continues to occur.
Thanks for your help, @wctaiwan!