Collect information about session pollution during the previous SessionManager rollouts
Closed, ResolvedPublic

Description

During the last SessionManager rollout attempt (January 26 to 30) there were two reports of users being logged into the wrong account (i.e. they logged in, or were already logged in, as User:Abc, but suddenly the wiki software recognized them as User:Xyz). That is tracked in T125283 (which is non-public because it contains some login details) and (most of) the response to it is tracked in T124440; this task is to have a public place to collect more information about which users were affected.

If you have information about that happening (most likely between January 26 to 30, but if you have heard of it happening at any time in the last few weeks, please report it), please submit it here (or if you want to include private information, open a new task, select "Security: Software security issue", and mention the task number here). Helpful details:

  • time (hour or minute is extra helpful if available)
  • user account that the user should have been logged into, user account they actually logged into
  • wiki where it happened
  • was this the result of a manual login, or did becoming a different user "just happen"
  • did this happen after visiting a wiki that the user has not visited for a while (weeks)
  • what browser was used

Related Objects

Tgr created this task.Feb 5 2016, 9:25 PM
Tgr added a subscriber: Tgr.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 5 2016, 9:25 PM
Tgr edited the task description. (Show Details)Feb 5 2016, 9:42 PM
Tgr set Security to None.
Tgr edited the task description. (Show Details)Feb 5 2016, 9:50 PM
Tgr edited the task description. (Show Details)Feb 5 2016, 10:17 PM
Johan added a subscriber: Johan.Feb 6 2016, 12:27 AM

There's a translatable page here so we can reach more users:
https://meta.wikimedia.org/wiki/User:Johan_(WMF)/Session_pollution

Jay8g added a subscriber: Jay8g.Feb 6 2016, 5:32 AM
Stryn added a subscriber: Stryn.Feb 6 2016, 7:21 AM

T124224 might be related and contain more information, but that was using OATH.

bd808 added a subscriber: bd808.Feb 6 2016, 4:53 PM

T124224 might be related and contain more information, but that was using OATH.

The OAuth bug had similar results but had a well known and now patched cause. See T124224#1949900 for details.

Anomie added a subscriber: Anomie.Feb 6 2016, 4:57 PM
Johan added a comment.Feb 8 2016, 11:09 AM

We've reached out in another dozen languages as well, listed in T126074.

Elitre added a subscriber: Elitre.Feb 8 2016, 11:11 AM
Anomie added a comment.Feb 8 2016, 2:22 PM

Here you are: T120988.

That's completely unrelated. Among other things, it's well outside the January 26 to 30 date range being discussed here and it's with a tool on Tool Labs rather than on-wiki.

Ltrlg added a subscriber: Ltrlg.Feb 8 2016, 3:16 PM
Teles added a subscriber: Teles.Feb 8 2016, 10:17 PM
Tgr added a comment.Feb 9 2016, 3:12 AM

Sherry spotted this. I don't think the timestamp matches with the train, though, and as the comment notes, it might have been a simple accident.

Anomie added a comment.Feb 9 2016, 3:43 PM

Sherry spotted this. I don't think the timestamp matches with the train, though, and as the comment notes, it might have been a simple accident.

Is that the wrong diff? I see nothing about that that suggests session issues.

Tgr added a comment.Feb 9 2016, 4:00 PM

Sorry. this is the correct link.

Anomie added a comment.Feb 9 2016, 4:08 PM

Sorry. this is the correct link.

After checking log data, it looks to me like the "accidentally clicked a rollback link" explanation suggested in that discussion is probably correct.

Johan added a comment.Feb 9 2016, 4:12 PM

And it happens regularly, after all, and every now and then we're bound to not notice having done so.

May be related: a user on fr.wp got a notification for a new message on Flow as he was not logged-in.

Original message (hidden) + the following discussion

Anomie added a comment.Feb 9 2016, 5:16 PM

May be related: a user on fr.wp got a notification for a new message on Flow as he was not logged-in.

Considering that whole topic that the user reported receiving a notification for occurred while SessionManager was not deployed, it seems unlikely to be related. It might have just been that La femme de menage had H4stings's talk page watched (I see that La femme de menage has commented on H4stings's pre-Flow talk page), which I believe causes Flow to send a notification for each new topic posted to the corresponding Flow board.

It might have just been that La femme de menage had H4stings's talk page watched (I see that La femme de menage has commented on H4stings's pre-Flow talk page), which I believe causes Flow to send a notification for each new topic posted to the corresponding Flow board.

I share your analysis. La femme de ménage may have been disconnected while posting.
I've preferred to report it just in case. Thanks!

Johan moved this task from Backlog to Doing on the Liaisons-February-2016 board.Feb 11 2016, 3:08 PM
Jbribeiro1 added a subscriber: Jbribeiro1.
TheDJ added a subscriber: TheDJ.Feb 23 2016, 7:39 AM

Okay, this is really weird, but I'm actually User:FallingGravity. Somehow I logged into this account when I opened my laptop, even though I never typed in the username and I don't have any clue what the password is (I checked and it's not the same as my actual password). Apparently this account used to be active on the Chinese Wikipedia. Anybody have any clue how this happened? Should I be worried about my account? Actually I think I'll just go ahead and change my user password just in case. 023yangbo (talk) 06:34, 23 February 2016 (UTC)

https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&oldid=706427261#I_opened_Wikipedia_and_somehow_I_was_logged_in_to_this_account

Tgr closed this task as "Resolved".Mar 4 2016, 2:00 AM
Tgr claimed this task.

No reports in a while and we are not actively doing anything about it (and preventative measures have been taken, based on some fairly speculative guesses of what the cause might be), so we can call this done.