Page MenuHomePhabricator
Create Task
Maniphest T273842

Notifications were updated even though session had expired
Open, Needs TriagePublic
Actions

Description

I logged into my account on fawiki yesterday and my last edit was 2:53 AM UTC of February 3. Since I have higher privileges in fawiki, I never use the "keep me signed in" option. I did not explicitly log out, but left my browser window unattended for approximately 22 hours. When I came back, I refresh the window (which was showing a fawiki page). The page refreshed successfully, and I noticed that I have 3 alerts and 2 notices; the yellow "new message" box also appeared.

If I understand the MW session configurations at WMF correctly, my session must have expired by the time I came back. Therefore, even on the first refresh, I should not have been considered logged in, therefore, I should not have seen my notifications or the yellow talk page message. I am guessing some kind of cache was involved in this. Therefore, I refreshed the page. This time, it was shown to me in logged-out form.

I believe something is wrong here. If I was still logged in (which I should not have been) then the session should have been rejuvenated upon the first refresh and I should have remained logged in for the second refresh too, no? And if I indeed was logged out, then why did the first refresh show me the notifications? Of note, when I logged in later, the notification counts were exactly what I had seen after first refresh.

Could there be a cache-related security issue here?

The obvious challenge with this task: it is hardly reproducible.

PS: I remember this happened to me once before, several months ago. At the time, I assumed that I was confused and dismissed it. But that incident made me pay closer attention this time.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT273842 Notifications were updated even though session had expired
Restricted Task

Event Timeline

Huji created this task.Feb 4 2021, 3:13 AM
Restricted Application added a project: Growth-Team. · View Herald TranscriptFeb 4 2021, 3:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Huji added a project: MediaWiki-Core-AuthManager.Feb 4 2021, 3:13 AM
kostajh added a project: Security-Team.Feb 4 2021, 10:28 AM
Huji added a comment.Feb 6 2021, 6:14 PM

Something possibly related happened just now.

I spent some 18 hours off wiki. When I came back to my already open window and refresh, I saw I had notifications. I went to my talk page and the page was rendered in logged in mode. As I was reading a message that was sent to me, I went to a different page. This page was also rendered in logged in mode. I closed the tab for that page, but then changed my mind and went to it again; this time, it was rendered in logged out mode.

Am I wrong to assume that every time I view a page in logged in mode, my session expiry time should be reset? Because the above shows it is not.

sbassett moved this task from Incoming to Watching on the Security-Team board.Feb 8 2021, 4:09 PM
sbassett subscribed.EditedFeb 8 2021, 10:11 PM

Could there be a cache-related security issue here?

Possibly.

The obvious challenge with this task: it is hardly reproducible.

Without steps to consistently reproduce these experiences, it will be extremely difficult to address and fix any potential issues. Can you let us know your browser specs/UA, specific URLs traversed and assumed login states and we attempt to further troubleshoot this issue? We can protect this task if you'd like. Thanks.

Huji added a comment.Feb 10 2021, 1:01 AM
In T273842#6813330, @sbassett wrote:

Could there be a cache-related security issue here?

Possibly.

This happened again. And I don't think there is a cache issue here. I had left my window open when I had a new message (yellow notification). When I cam back only ~ 2 hours later, I middle-clicked on the yellow badge, my talk page was opened in a new tab, which was rendered in logged in view, the yellow badge went away, and the notification count was reduced. Then I refreshed the original tab; it got logged out.

Clearly, my act of visiting my talk page was considered a logged-in action, thereby causing the yellow badge to go away and the notification count to be recalculated.

Happy to provide more details in a protected sub-task (please create one); would prefer to this one public because I am likely not the only person imapcted.

Huji added a comment.Feb 10 2021, 1:02 AM

By the way, my working theory is this: even if a session expires, the cookies from the last page view in logged in status are still fooling MW to think of the user as logged in. It is only after this next page view that the logged out status is truly established. This would obviously be a serious security flaw, if true.

Huji added a subtask: Restricted Task.Feb 23 2021, 1:26 AM
MBinder_WMF added a project: Growth-Team-Filtering.Apr 15 2021, 6:47 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Nov 3 2021, 7:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL