Page MenuHomePhabricator
Create Task
Maniphest T125289

Auth tokens should expire
Open, LowPublic
Actions

Description

Login token cookies (set by MediaWiki core and by CentralAuth) have a 30-day expiration date, but we don't do anything to enforce that on the server side. If the goal of the relatively short expiration time is to limit the effect of stealing login cookies, we shouldn't rely on the client to be honest and honor the expiry date.

We could use something similar to Token::toStringAtTimestamp to issue tokens which include an expiration timestamp.

Related Objects

Event Timeline

Tgr created this task.Jan 30 2016, 9:40 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added projects: Security-Core, MediaWiki-extensions-CentralAuth, MediaWiki-Core-AuthManager, acl*security.
Tgr changed the visibility from "Public (No Login Required)" to "Custom Policy".
Tgr changed the edit policy from "All Users" to "Custom Policy".
Tgr changed Security from None to Software security bug.
Tgr subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 30 2016, 9:40 AM
Anomie subscribed.Feb 1 2016, 11:40 PM

I think the reason is more that the old privacy policy specified a 30-day
maximum on cookies.

dpatrick triaged this task as Medium priority.Feb 2 2016, 10:06 PM
csteipp subscribed.Feb 3 2016, 5:34 PM
In T125289#1988143, @Anomie wrote:

I think the reason is more that the old privacy policy specified a 30-day
maximum on cookies.

I think that's right.

Anomie added a comment.Feb 3 2016, 10:11 PM

See also T68699: Increase "remember me" login cookie expiry from 30 days to 1 year on Wikimedia wikis.

Tgr added a subscriber: dpatrick.Sep 18 2016, 6:07 AM

If we don't much care, should we decline the tas and remove custom policy, given that we use 1 year now on Wikimedia and half a year on default MW installs? @dpatrick any thoughts?

Aklapper added a comment.Apr 26 2017, 6:30 PM

@dpatrick: Any feedback on the question in the last comment?

Aklapper added a comment.Jan 5 2018, 8:10 PM
In T125289#2646116, @Tgr wrote:

If we don't much care, should we decline the tas and remove custom policy, given that we use 1 year now on Wikimedia and half a year on default MW installs?

Any thoughts / answer from a Security team member, please?

Aklapper removed a project: Security-Core.Nov 27 2019, 12:42 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:02 PM
Aklapper added a project: Security-Team.Feb 22 2021, 8:43 AM

Seeking input from Security-Team hence adding tag

sbassett removed a project: Security-Team.Feb 22 2021, 4:15 PM
sbassett subscribed.
In T125289#6847728, @Aklapper wrote:

Seeking input from Security-Team hence adding tag

Reviewed at the Security-Team clinic today.

In T125289#2646116, @Tgr wrote:

If we don't much care, should we decline the task and remove custom policy, given that we use 1 year now on Wikimedia and half a year on default MW installs?

I'll do this now. This would be a good code hardening measure in the Security-Team's collective opinion, but without a confirmed vulnerability which becomes an increased threat within an additional 11-month period as opposed to a 30-day period, this doesn't seem quite as urgent. If such vulnerabilities do exist, we'd be happy to reevaluate this.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 22 2021, 4:15 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
RhinosF1 subscribed.Feb 22 2021, 4:17 PM
sbassett added a project: SecTeam-Processed.Feb 22 2021, 4:17 PM
Aklapper lowered the priority of this task from Medium to Low.Feb 22 2021, 7:12 PM
Bugreporter moved this task from Backlog to Central session, SSO (autologin) and centralauthtoken on the MediaWiki-extensions-CentralAuth board.Mar 5 2024, 11:50 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL