Page MenuHomePhabricator

Edits fail with "badtoken: Invalid token" after a few hours.
Closed, InvalidPublic

Description

I have a bot that can't edit pages after a few hours of inactivity. I save the cookies from a login request and use them in subsequent runs of a bot. Previously, it would work fine for months on end. But now the bot is no longer able to edit pages after a few hours of inactivity. According to an assert=user query, it's still logged in. But fetching a new csrf token and attempting to edit a page always fails with the error: badtoken: Invalid token. It works again after a new login.

I'm not sure exactly when this started happening, maybe a couple of months. I only just got around to investigating it, but haven't discovered much.

T89702 is something similar, but possibly pywikibot related. I'm not using pywikibot, and it's quite possible the problem is my misunderstanding of the API, or some change to the API.

Event Timeline

Ghouston created this task.Mar 16 2016, 5:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 16 2016, 5:33 AM
Anomie closed this task as Invalid.Mar 16 2016, 1:43 PM
Anomie added a subscriber: Anomie.

Sounds like your cookie handling is broken. Make sure that you are properly handling all Set-Cookie headers received, not just headers from the initial login.

Thanks, I only save the initial cookies from the login. I'm curious to know why they change now.

We added additional verification to the session cookie checks to be more in line with OWASP security recommendations. One of those is that a client-supplied session identifier should not be used if it's not known to the server (e.g. the session expired from storage on the server), instead we generate a new session identifier and instruct the client to use it for future requests.