Page MenuHomePhabricator

Collect information about session pollution during the previous SessionManager rollouts
Closed, ResolvedPublic

Description

During the last SessionManager rollout attempt (January 26 to 30) there were two reports of users being logged into the wrong account (i.e. they logged in, or were already logged in, as User:Abc, but suddenly the wiki software recognized them as User:Xyz). That is tracked in T125283 (which is non-public because it contains some login details) and (most of) the response to it is tracked in T124440; this task is to have a public place to collect more information about which users were affected.

If you have information about that happening (most likely between January 26 to 30, but if you have heard of it happening at any time in the last few weeks, please report it), please submit it here (or if you want to include private information, open a new task, select "Security: Software security issue", and mention the task number here). Helpful details:

  • time (hour or minute is extra helpful if available)
  • user account that the user should have been logged into, user account they actually logged into
  • wiki where it happened
  • was this the result of a manual login, or did becoming a different user "just happen"
  • did this happen after visiting a wiki that the user has not visited for a while (weeks)
  • what browser was used

Related Objects

Event Timeline

Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr subscribed.
Tgr set Security to None.

T124224 might be related and contain more information, but that was using OATH.

T124224 might be related and contain more information, but that was using OATH.

The OAuth bug had similar results but had a well known and now patched cause. See T124224#1949900 for details.

We've reached out in another dozen languages as well, listed in T126074.

Here you are: T120988.

That's completely unrelated. Among other things, it's well outside the January 26 to 30 date range being discussed here and it's with a tool on Tool Labs rather than on-wiki.

Sherry spotted this. I don't think the timestamp matches with the train, though, and as the comment notes, it might have been a simple accident.

Sherry spotted this. I don't think the timestamp matches with the train, though, and as the comment notes, it might have been a simple accident.

Is that the wrong diff? I see nothing about that that suggests session issues.

Sorry. this is the correct link.

After checking log data, it looks to me like the "accidentally clicked a rollback link" explanation suggested in that discussion is probably correct.

And it happens regularly, after all, and every now and then we're bound to not notice having done so.

May be related: a user on fr.wp got a notification for a new message on Flow as he was not logged-in.

Original message (hidden) + the following discussion

May be related: a user on fr.wp got a notification for a new message on Flow as he was not logged-in.

Considering that whole topic that the user reported receiving a notification for occurred while SessionManager was not deployed, it seems unlikely to be related. It might have just been that La femme de menage had H4stings's talk page watched (I see that La femme de menage has commented on H4stings's pre-Flow talk page), which I believe causes Flow to send a notification for each new topic posted to the corresponding Flow board.

It might have just been that La femme de menage had H4stings's talk page watched (I see that La femme de menage has commented on H4stings's pre-Flow talk page), which I believe causes Flow to send a notification for each new topic posted to the corresponding Flow board.

I share your analysis. La femme de ménage may have been disconnected while posting.
I've preferred to report it just in case. Thanks!

Okay, this is really weird, but I'm actually User:FallingGravity. Somehow I logged into this account when I opened my laptop, even though I never typed in the username and I don't have any clue what the password is (I checked and it's not the same as my actual password). Apparently this account used to be active on the Chinese Wikipedia. Anybody have any clue how this happened? Should I be worried about my account? Actually I think I'll just go ahead and change my user password just in case. 023yangbo (talk) 06:34, 23 February 2016 (UTC)

https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&oldid=706427261#I_opened_Wikipedia_and_somehow_I_was_logged_in_to_this_account

Tgr claimed this task.

No reports in a while and we are not actively doing anything about it (and preventative measures have been taken, based on some fairly speculative guesses of what the cause might be), so we can call this done.