Page MenuHomePhabricator

Logging out of a wiki leaves an XXwikiSession= Cookie behind
Closed, ResolvedPublic

Description

When I log into a wiki (tested enwiki, frwiki) and then log back out, the served HTML from that point onwards (random articles and such) appear correctly with a logged-out header, but a cookie like enwikiSession=XXXXXXXX is left behind. This triggers current Varnish code to assume I'm still logged in, which causes all my pageviews to be uncacheable responses rather than cacheable. I'm not 100% sure whether this is a recent regression - I think it is, but either way this should be fixable...?

Event Timeline

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript

Note also, the Cookie left behind has session duration rather than explicit expiry.

Anomie added subscribers: csteipp, Tgr, Anomie.

I'm not 100% sure whether this is a recent regression - I think it is

It's not. Logging out in MediaWiki clears the UserID and Token cookies and various CentralAuth cookies, but as far as I can tell it has never removed the PHP session cookie.

We could make this change without too much trouble, though, if it's something that we want to do and won't break anything else. @csteipp, @Tgr, any thoughts?

OWASP ASVS 2.7 (a draft version) had Verify that the session id is changed or cleared on logout; for 3.0 that was changed into the vaguer Verify that all successful authentication and re-authentication generates a new session and session id. Their testing guide says It should be not necessary for the security of the application, but setting session cookies to new values after log out is generally considered as good practice. So I guess no reason not to.

Yep, exactly what @Tgr said. Historically, it was considered best practice to delete or change it, in case you forgot to also disable the session server side. I think everyone now realizes that if you don't disable the session server side, it doesn't matter what you actually send to the client.

That said, if we're disabling the session server-side, we may want to remove it on logout, so users go back to getting the cached versions of pages.

Change 273524 had a related patch set uploaded (by Anomie):
Unpersist the session on logout

https://gerrit.wikimedia.org/r/273524

Change 273524 merged by jenkins-bot:
Unpersist the session on logout

https://gerrit.wikimedia.org/r/273524