Page MenuHomePhabricator

"loss of session data" in error messages is meaningless to the user
Closed, ResolvedPublic

Description

"loss of session data" in error messages is meaningless to the user. It basically means "you might have been logged out", and it's normal if the user logged out in another browser window (or logged in, or logged out and logged in as a different user). But it can also happen if the session expired (they're stored for limited time) and MediaWiki isn't sure if it's still the same user who started the edit, so it gives this error instead of just re-creating the session and saving the page, which could potentially expose user's IP address or just attribute the edit to the wrong user.

I'm not sure how to clarify, but we should definitely ask the user to check that they're still logged in.

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Event Timeline

matmarex raised the priority of this task from to Medium.
matmarex updated the task description. (Show Details)
matmarex added a subscriber: matmarex.
matmarex raised the priority of this task from Medium to High.
matmarex set Security to None.

Change 267705 had a related patch set uploaded (by Bartosz Dziewoński):
Clarify and expand messages mentioning "loss of session data"

https://gerrit.wikimedia.org/r/267705

Change 269424 had a related patch set uploaded (by Gergő Tisza):
Clarify and expand messages mentioning "loss of session data"

https://gerrit.wikimedia.org/r/269424

Change 267705 merged by jenkins-bot:
Clarify and expand messages mentioning "loss of session data"

https://gerrit.wikimedia.org/r/267705

Change 269424 merged by jenkins-bot:
Clarify and expand messages mentioning "loss of session data"

https://gerrit.wikimedia.org/r/269424

Ideally we should check if the user is actually logged in and split the message on that.

If we feel paranoid, the other option (apart from a simple session expiration) is that the user is the target of a CSRF attack. That's probably so super rare though that warning about it in the message would cause more damage than benefit.

Also, a bit off-topic for this task but the typical way IPs are accidentally recorded is that the session expiration happens between loading the article and clicking edit (that's harder to notice). Don't think there is a way to detect that though.

(I am happy enough now.)

The message could be a bit confusing if you are legitimately not logged in (an anonymous user can start editing, have their session expire, and get this message on save).

Pretty sure anonymous users can't get this message. Their token is just +\ and should never fail to match.