Page MenuHomePhabricator
Create Task
Maniphest T130091

Edits fail with "badtoken: Invalid token" after a few hours.
Closed, InvalidPublic
Actions

Description

I have a bot that can't edit pages after a few hours of inactivity. I save the cookies from a login request and use them in subsequent runs of a bot. Previously, it would work fine for months on end. But now the bot is no longer able to edit pages after a few hours of inactivity. According to an assert=user query, it's still logged in. But fetching a new csrf token and attempting to edit a page always fails with the error: badtoken: Invalid token. It works again after a new login.

I'm not sure exactly when this started happening, maybe a couple of months. I only just got around to investigating it, but haven't discovered much.

T89702 is something similar, but possibly pywikibot related. I'm not using pywikibot, and it's quite possible the problem is my misunderstanding of the API, or some change to the API.

Related Objects

Event Timeline

Ghouston created this task.Mar 16 2016, 5:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 16 2016, 5:33 AM
Ghouston mentioned this in T89702: Edits fail with "badtoken: Invalid token" after script runs for a while.Mar 16 2016, 5:35 AM
Anomie closed this task as Invalid.Mar 16 2016, 1:43 PM
Anomie subscribed.

Sounds like your cookie handling is broken. Make sure that you are properly handling all Set-Cookie headers received, not just headers from the initial login.

Ghouston added a comment.Mar 16 2016, 8:59 PM

Thanks, I only save the initial cookies from the login. I'm curious to know why they change now.

Anomie added a comment.Mar 17 2016, 3:00 PM

We added additional verification to the session cookie checks to be more in line with OWASP security recommendations. One of those is that a client-supplied session identifier should not be used if it's not known to the server (e.g. the session expired from storage on the server), instead we generate a new session identifier and instruct the client to use it for future requests.

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits