Page MenuHomePhabricator
Create Task
Maniphest T125334

"loss of session data" in error messages is meaningless to the user
Closed, ResolvedPublic
Actions

Description

"loss of session data" in error messages is meaningless to the user. It basically means "you might have been logged out", and it's normal if the user logged out in another browser window (or logged in, or logged out and logged in as a different user). But it can also happen if the session expired (they're stored for limited time) and MediaWiki isn't sure if it's still the same user who started the edit, so it gives this error instead of just re-creating the session and saving the page, which could potentially expose user's IP address or just attribute the edit to the wrong user.

I'm not sure how to clarify, but we should definitely ask the user to check that they're still logged in.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Clarify and expand messages mentioning "loss of session data"mediawiki/coremaster+8 -8
Clarify and expand messages mentioning "loss of session data"mediawiki/corewmf/1.27.0-wmf.12+8 -8
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
InvalidNoneT40638 [DO NOT USE] Interface messages needing rewording or documentation and other issues with existing messages [superseded by #Voice_&_Tone]
ResolvedmatmarexT125334 "loss of session data" in error messages is meaningless to the user
· · ·

Event Timeline

matmarex created this task.Jan 31 2016, 12:48 PM
matmarex raised the priority of this task from to Medium.
matmarex updated the task description. (Show Details)
matmarex added projects: MediaWiki-Internationalization, I18n.
matmarex subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2016, 12:48 PM
Aklapper added a project: Voice & Tone.Jan 31 2016, 11:29 PM
Aklapper added a parent task: T40638: [DO NOT USE] Interface messages needing rewording or documentation and other issues with existing messages [superseded by #Voice_&_Tone].
matmarex claimed this task.Jan 31 2016, 11:50 PM
matmarex raised the priority of this task from Medium to High.
matmarex set Security to None.
gerritbot subscribed.Feb 1 2016, 6:08 PM

Change 267705 had a related patch set uploaded (by Bartosz Dziewoński):
Clarify and expand messages mentioning "loss of session data"

https://gerrit.wikimedia.org/r/267705

gerritbot added a project: Patch-For-Review.Feb 1 2016, 6:08 PM
matmarex mentioned this in T124440: Invalidate all users sessions.Feb 9 2016, 3:04 PM
gerritbot added a comment.Feb 9 2016, 3:56 PM

Change 269424 had a related patch set uploaded (by Gergő Tisza):
Clarify and expand messages mentioning "loss of session data"

https://gerrit.wikimedia.org/r/269424

gerritbot added a comment.Feb 9 2016, 4:07 PM

Change 267705 merged by jenkins-bot:
Clarify and expand messages mentioning "loss of session data"

https://gerrit.wikimedia.org/r/267705

gerritbot added a comment.Feb 9 2016, 4:28 PM

Change 269424 merged by jenkins-bot:
Clarify and expand messages mentioning "loss of session data"

https://gerrit.wikimedia.org/r/269424

Tgr subscribed.Feb 9 2016, 4:37 PM

Ideally we should check if the user is actually logged in and split the message on that.

If we feel paranoid, the other option (apart from a simple session expiration) is that the user is the target of a CSRF attack. That's probably so super rare though that warning about it in the message would cause more damage than benefit.

Also, a bit off-topic for this task but the typical way IPs are accidentally recorded is that the session expiration happens between loading the article and clicking edit (that's harder to notice). Don't think there is a way to detect that though.

matmarex closed this task as Resolved.Feb 10 2016, 2:56 AM

(I am happy enough now.)

Tgr added a comment.Feb 10 2016, 3:37 AM

The message could be a bit confusing if you are legitimately not logged in (an anonymous user can start editing, have their session expire, and get this message on save).

matmarex added a comment.Feb 10 2016, 3:42 AM

Pretty sure anonymous users can't get this message. Their token is just +\ and should never fail to match.

ReleaseTaggerBot added projects: MW-1.27-release (WMF-deploy-2016-02-02_(1.27.0-wmf.12)), MW-1.27-release (WMF-deploy-2016-02-16_(1.27.0-wmf.14)), MW-1.27-release-notes.Feb 12 2016, 11:02 PM
Aklapper removed a project: MW-1.27-release (WMF-deploy-2016-02-16_(1.27.0-wmf.14)).May 24 2021, 9:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits