Page MenuHomePhabricator

Session hijacking: please provide instructions how to proceed
Open, Needs TriagePublic


Yesterday around 18:40 UTC I got the notification on Wikimedia Commons that due session hijacking my edit was not saved. About the same time my e-mail service (outside Wikimedia) gave a message that something was happening.

I tried to logout, but that did not work.

Then I deleted the cookies in my browser.

Next logging in was not possible due session hijacking the error message said.

My browser (FF) is up-to-date, also is the software on my pc, on Wikimedia I use two-factor-identification with logging in, and at the time it happened I was nothing doing else then uploading files and creating a category on Commons.

I am happy the system in MediaWiki is able to detect session hijacking, but it is to me not clear how to proceed in situations that this happens. Also the message shown while I was logged in, as well as the failure message that I could not log in, did not indicate any instructions or information what to do in this situation.

So my question is: how to proceed in the situation that the system is detecting session hijacking?
And can the error message be more informative how a user should respond to this situation?


Event Timeline

For instructions, see linked from . These instructions seem not to be specific to Wikimedia sites, hence I'd say this could be done. (I am mentioning this only as I do not want bug reports about random potentially broken third-party websites - that mistake was done before in T188729 or T209335.)

(For the records, the underlying issue for the incident that you experienced yesterday was T255179#6217631.)