MediaWiki login failure due to race condition with session cookie
Open, HighPublicBUG REPORT
Actions

Assigned To

None

Authored By

	Tgr
	Jan 14 2022, 3:29 AM

Description

When MediaWiki receives a request with an invalid session, it starts a new anonymous session. In the case of CookieSessionProvider this means changing the session cookie and deleting the other authentication-related cookies.

The session ID is reset (ie. session data is moved to a new address) on certain changes, to prevent session fixation attacks. This means the old session becomes invalid, while the user still has a valid session. If, due to race conditions, the user makes a request with the old session ID, MediaWiki will reset the browser's session cookies to a new anonymous session, effectively logging the user out.

An example locally reproduced by @kostajh (log lines edited for brewity, full version in P18716):

[#1]
[2022-01-13T08:11:18.252634+00:00] wfDebug.DEBUG:   Start request GET /w/index.php?title=Special%3ACreateAccount
[2022-01-13T08:11:18.307820+00:00] cookie.INFO: setcookie: "my_database_session", "espu714u2dvic2ie6vu9m97dmo9bl0ik", "0", "/", "", "", "1", "" {"private":false}

[#2]
[2022-01-13T08:11:21.323528+00:00] wfDebug.DEBUG:   Start request POST /wiki/Special:CreateAccount COOKIE: my_database_session=espu714u2dvic2ie6vu9m97dmo9bl0ik
[2022-01-13T08:11:22.112614+00:00] memcached.DEBUG: MemCache: delete my_database:MWSession:espu714u2dvic2ie6vu9m97dmo9bl0ik (DELETED)
[2022-01-13T08:11:22.114827+00:00] cookie.INFO: setcookie: "my_database_session", "1f0cdurlkvd1murbnqggrk7dj4t8borm", "0", "/", "", "", "1", "" {"private":false}
[2022-01-13T08:11:22.121394+00:00] memcached.DEBUG: set my_database:MWSession:1f0cdurlkvd1murbnqggrk7dj4t8borm (STORED)

[#3]
[2022-01-13T08:11:22.272413+00:00] wfDebug.DEBUG:   Start request GET /w/api.php?action=query&format=json&list=users&... COOKIE: my_database_session=espu714u2dvic2ie6vu9m97dmo9bl0ik
[2022-01-13T08:11:22.283378+00:00] session.INFO: Persisting session due to no pre-existing stored session
[2022-01-13T08:11:22.283852+00:00] cookie.INFO: setcookie: "my_database_session", "d388lh2in8ueofut7tj9s3027bbv7fv7", "0", "/", "", "", "1", "" {"private":false}

[#4]
[2022-01-13T08:11:22.292671+00:00] wfDebug.DEBUG:   Start request GET /w/index.php?title=Special:WelcomeSurvey&...  COOKIE: my_database_session=1f0cdurlkvd1murbnqggrk7dj4t8borm; my_databaseUserID=2193; ...

[#5]
[2022-01-13T08:11:22.291742+00:00] wfDebug.DEBUG:   Start request POST /w/api.php COOKIE: my_database_session=espu714u2dvic2ie6vu9m97dmo9bl0ik
[2022-01-13T08:11:22.300403+00:00] session.DEBUG: SessionBackend "nap3nguq4k57nknlm3tek853vntk78jb" metadata dirty due to ID reset (formerly "espu714u2dvic2ie6vu9m97dmo9bl0ik") 
[2022-01-13T08:11:22.301946+00:00] cookie.INFO: setcookie: "my_database_session", "nap3nguq4k57nknlm3tek853vntk78jb", "0", "/", "", "", "1", "" {"private":false}

[#6]
[2022-01-13T08:11:26.591258+00:00] wfDebug.DEBUG:   Start request POST /wiki/Special:WelcomeSurvey COOKIE: my_databaseUserID=2193; ... my_database_session=nap3nguq4k57nknlm3tek853vntk78jb

User visits the account creation page, gets a temporary anonymous session (session ID espu...) to be used for the login process.
User submits username and password, using the anonymous login session espu.... The logged-in session 1f0c... gets created, the old session gets deleted, the session cookie for the new session gets sent.
The user gets a post-login redirect to the GrowthExperiments welcome survey form. The redirected request uses the logged-in session 1f0c....
Belatedly, the password validation API (triggered by the change event of the password field on the login page) runs. It uses the login session espu... - the browser sent the request before the login succeeded, but the server only processes it afterwards. Since a (by now) non-existant session is referenced, MediaWiki resets the session to a new anonymous session, nap3..., and tells the browser to update cookies accordingly.
User submits the welcome survey. The browser uses the anonymous session nap3... it was told in the previous request to use. By this point the user is logged out (the logged-in session still exists but the browser has lost the key to it).

This was tested with account creation as we discovered it when QA-ing that, but it should equally apply to other workflows with a session ID reset, such as a login or a credentials change. Although for those it's probably mitigated by the "remember me" login option (ie. the user having a cookie with a hash of the user_token DB field) or the central login session in the case of CentralAuth - both of those can make a session with a session cookie referencing a non-existent session store object valid, as there's other authentication data in the session to fall back to.

Monitoring done for T267273: [arwiki] Submitting a POST on a form redirected to immediately after account creation sometimes logs user out suggests this might be happening with nontrivial frequency.

Details

Subject	Repo	Branch	Lines +/-
SessionManager: Add regression test for logout bug	mediawiki/core	master	+111 -19
Revert "Tombstone the old session on SessionBackend::resetId()"	mediawiki/core	master	+14 -84
Revert "Tombstone the old session on SessionBackend::resetId()"	mediawiki/core	wmf/1.39.0-wmf.14	+14 -84
Revert "Tombstone the old session on SessionBackend::resetId()"	mediawiki/core	wmf/1.39.0-wmf.13	+14 -84
Tombstone the old session on SessionBackend::resetId()	mediawiki/core	wmf/1.39.0-wmf.13	+84 -14
Tombstone the old session on SessionBackend::resetId()	mediawiki/core	wmf/1.39.0-wmf.12	+84 -14
SessionManage: Do not save when creating empty session	mediawiki/core	master	+9 -3
Tombstone the old session on SessionBackend::resetId()	mediawiki/core	master	+75 -11
[WIP] Tombstone the old session on SessionBackend::resetId()	mediawiki/core	master	+169 -26

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		None	T311850 [Epic] FY 2022-23 Growth Maintenance Work
		Open	BUG REPORT	None	T299193 MediaWiki login failure due to race condition with session cookie

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2022, 3:29 AM

Tgr added a project: Security.Jan 14 2022, 3:30 AM

Tgr updated the task description. (Show Details)Jan 14 2022, 3:40 AM

Tgr updated the task description. (Show Details)Jan 14 2022, 3:44 AM

Tgr mentioned this in T267273: [arwiki] Submitting a POST on a form redirected to immediately after account creation sometimes logs user out .Jan 14 2022, 4:00 AM

The two possible mitigations I can think of:

When resetting the session ID (ie. on a Session::resetId() call), do not delete the old session. (Ie. remove SessionBackend.php#L299.) This goes against best practice (e.g. CWE-384 says standard mitigation is "Invalidate any existing session identifiers prior to authorizing a new user session") but seems harmless for login and account creation. I'm not sure about credentials change - not sure how a session fixation attack would work at all in that situation. Maybe we can replace the old session with an anonymous one, just to be sure.
When validating the session fails, treat it as an anonymous session but do not try to update session cookies. (The unpersisting happens in SessionManager.php#L566, I think. I'm quite not sure where/why the persisting happens.) I'm not sure if there is a security motive behind the current behavior, or the motivation is just "the session seems to be in an invalid state; let's move it to a known valid state".

A trivial testcase (this is on vagrant, with CentralAuth):

$ curl -Is 'http://dev.wiki.local.wmftest.net:22100/wiki/' -H 'Cookie: wiki_session=1234567890abcdefghijklmnopqrstxyz' | grep Set-Cookie
Set-Cookie: wiki_session=lb7pm1hnfjkgaq20p65t34nnm3ltfc1v; path=/; HttpOnly

With "remember me", session survives: (all cookies other than wiki_session are valid)

$ curl -Is 'http://dev.wiki.local.wmftest.net:22100/wiki/' -H 'Cookie: wikiUserName=Admin; centralauth_User=Admin; centralauth_Token=443a90ae188ce20803b86563a8a15823; wikiUserID=1; wiki_session=1234567890abcdefghijklmnopqrstxyz; centralauth_Session=e75a794edfa0a1f94a0875c49ac46a46' | grep Set-Cookie
Set-Cookie: wiki_session=5avih7ikpf2qritljdehkc0g3rpcog3p; path=/; HttpOnly
Set-Cookie: wikiUserID=1; expires=Wed, 13-Jul-2022 07:44:59 GMT; Max-Age=15552000; path=/; HttpOnly
Set-Cookie: wikiUserName=Admin; expires=Wed, 13-Jul-2022 07:44:59 GMT; Max-Age=15552000; path=/; HttpOnly
Set-Cookie: centralauth_User=Admin; expires=Wed, 13-Jul-2022 07:44:59 GMT; Max-Age=15552000; path=/; HttpOnly
Set-Cookie: centralauth_Token=443a90ae188ce20803b86563a8a15823; expires=Wed, 13-Jul-2022 07:44:59 GMT; Max-Age=15552000; path=/; HttpOnly
Set-Cookie: centralauth_Session=32fce4bc9240f35f2c2eee0da5ce5da2; path=/; HttpOnly

With central session but no "remember me", session still survives: (all cookies other than wiki_session are valid)

$ curl -Is 'http://dev.wiki.local.wmftest.net:22100/wiki/' -H 'Cookie: wiki_session=1234567890abcdefghijklmnopqrstxyz; wikiUserID=42; wikiUserName=Test; centralauth_User=Test; centralauth_Session=c762b52fb34cb14d719b8ba9a37485a8' | grep Set-Cookie
Set-Cookie: wiki_session=nput4bfhj1dmmntmlen8hmlg9ua4tt0h; path=/; HttpOnly
Set-Cookie: wikiUserID=42; expires=Sun, 13-Feb-2022 07:49:16 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: wikiUserName=Test; expires=Sun, 13-Feb-2022 07:49:16 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: centralauth_User=Test; expires=Sun, 13-Feb-2022 07:49:16 GMT; Max-Age=2592000; path=/; HttpOnly
Set-Cookie: centralauth_Session=3114c6667e881c11e1d64a158368f65c; path=/; HttpOnly

So while this is definitely an issue on a wiki with CookieSessionProvider, it might not be related to the issues we seen on CentralAuth wikis, or the relationship is more complex than a simple race condition.

In T299193#7621624, @Tgr wrote:

When validating the session fails, treat it as an anonymous session but do not try to update session cookies. (The unpersisting happens in SessionManager.php#L566, I think. I'm quite not sure where/why the persisting happens.)

Actually not. Persisting/unpersisting happens because CookieSessionProvider returns a SessionInfo with a non-existent ID, so the SessionBackend constructor can't load the session data and sets the dirty flag, and that makes the delayed save in SessionManager::getSessionFromInfo() either persist or unpersist (depending on whether the SessionInfo had its persisted flag set). Can we make it not unpersist? I think so - the one place where security relies on unpersisting a valid session is logout, which makes an explicit unpersist() call. It does seem like a scary change though.

taavi subscribed.Jan 20 2022, 8:20 AM

Can we make it not unpersist?

On a closer look, not easily. Session::unpersist() just sets the persisted flag to false and saves the session. The session does not remember past values of the persisted flag. So unpersisting when the session gets saved with the flag set to false is important.

Maybe there should be a tombstone mechanism where logically deleted session store objects are set to a special value instead of getting physically deleted, and that value is mostly handled the same as missing, except SessionProvider unpersist calls are skipped.

Tagging Security-Team for awareness, and if you all have any suggestions on the proposed mitigations (T299193#7621624), please let us know.

In T299193#7635625, @Tgr wrote:

Maybe there should be a tombstone mechanism where logically deleted session store objects are set to a special value instead of getting physically deleted, and that value is mostly handled the same as missing, except SessionProvider unpersist calls are skipped.

Speaking more for myself and not the entire Security-Team (if other folks would like to chime in, feel free) - while the above approach seems a bit nasty, I'm not sure there's a better way to deal with these weird edge cases. The other approaches, as described above, all seem like they might have potentially negative consequences, some of which we might be unaware of, whereas introducing a tombstone state should theoretically only add a bit more complexity. I don't believe @Anomie has been very active as a volunteer lately, but I'd imagine they would have some relevant guidance to offer on this matter.

sbassett moved this task from Incoming to Watching on the Security-Team board.Jan 25 2022, 7:32 PM

sbassett added a project: SecTeam-Processed.

Zabe subscribed.Jan 25 2022, 7:34 PM

I don't believe @Anomie has been very active as a volunteer lately, but I'd imagine they would have some relevant guidance to offer on this matter.

I've been around enwiki, but after certain terrible managers did some terrible managing I really haven't felt like giving unpaid volunteer coding effort to the WMF.

Change 758418 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] [WIP] Tombstone the old session on SessionBackend::resetId()

https://gerrit.wikimedia.org/r/758418

gerritbot added a project: Patch-For-Review.Jan 31 2022, 7:45 AM

In T299193#7661040, @Anomie wrote:

I've been around enwiki, but after certain terrible managers did some terrible managing I really haven't felt like giving unpaid volunteer coding effort to the WMF.

Ok, no problem, and completely understandable.

Tagging #platform-engineering in case there are any folks there available to look at this patch.

kostajh mentioned this in T303995: Instrument blocked account registration and edit attempts .Mar 24 2022, 2:00 PM

zeljkofilipin subscribed.Mar 25 2022, 10:25 AM

Tgr claimed this task.Apr 19 2022, 12:23 PM

Tgr added a parent task: T304427: [Epic] Q4 FY 2021-22 Growth Maintenance Work.

Tgr added a project: Growth-Team (Sprint 0 (Growth Team)).

Tgr moved this task from Incoming to In Progress on the Growth-Team (Sprint 0 (Growth Team)) board.

DAlangi_WMF subscribed.Apr 26 2022, 1:56 PM

I think the tombstone mechanism is feasibly correct to solve this problem but the only query I have in mind with this mechanism is the complexity it introduces and amount of extra overheads involved. I don't want to worry much about the extra memory we'll use the store the tomestone session data (maybe we want to invalidate it after a period of time?).

@Tgr, the patch set you've submitted says it's a WIP, maybe because tests are still on the way? What is needed for us to move this forward? Thanks!

It's WIP because the tests don't pass, but I don't really like the patch as written now. It adds a lot of complexity to SessionManager for something that's conceptually fairly simple, and there is no way to accurately simulate the provider metadata (since the provider thinks this is an authenticated session when it is creating the metadata, but we override it into a non-authenticated one without having a way to let the provider know about that). It's very unlikely, but in theory the provider could put something security-sensitive in there, like declaring the user as privileged in the metadata and then using that in SessionProvider::getAllowedUserRights().

I'm thinking of using the tombstone to force a special session load failure (without unpersisting) in SessionManager::getSessionInfoForRequest() instead, that's a much smaller change and doesn't do things not expected by the provider.

kostajh changed the task status from Open to In Progress.May 12 2022, 8:55 AM

kostajh triaged this task as High priority.

Change 791814 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] Tombstone the old session on SessionBackend::resetId()

https://gerrit.wikimedia.org/r/791814

Change 758418 abandoned by Gergő Tisza:

[mediawiki/core@master] [WIP] Tombstone the old session on SessionBackend::resetId()

Reason:

in favor of I3a76b67aa51159ebf0195db15cf7c34e00a64a2e

https://gerrit.wikimedia.org/r/758418

Change 791814 merged by jenkins-bot:

[mediawiki/core@master] Tombstone the old session on SessionBackend::resetId()

https://gerrit.wikimedia.org/r/791814

In T299193#7952697, @gerritbot wrote:

Change 791814 merged by jenkins-bot:

[mediawiki/core@master] Tombstone the old session on SessionBackend::resetId()

https://gerrit.wikimedia.org/r/791814

@Tgr I believe you mentioned you wanted to backport this, so that any potential fallout would be easier to spot separately from the train rollout. Is that right? If so, should we plan to backport it today or tomorrow?

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.14; 2022-05-30).May 24 2022, 12:00 PM

Maintenance_bot removed a project: Patch-For-Review.May 24 2022, 12:30 PM

In T299193#7952764, @kostajh wrote:

@Tgr I believe you mentioned you wanted to backport this, so that any potential fallout would be easier to spot separately from the train rollout. Is that right? If so, should we plan to backport it today or tomorrow?

Discussed elsewhere but for the record, the plan is to do that on Monday. Quoting myself:

That way 1) unexpected side effects are easy to attribute even if they are infrequent, as there are no code changes on Monday (on Wednesday there are code changes on loginwiki and on Thursday there are code changes on Wikipedias), 2) we can test it on mwdebug first, 3) I'll be around for a few more days in case something unexpected happens (will be on sabbatical starting next week).

Test plan for making sure nothing is broken:

test manually (signup, login with and without "remember me" flag, centralauth edge login, centralauth autologin, bot password login, OAuth request, password change, request with manually altered session cookie, request after manually deleting the data from the session store - I think that covers all code paths), check the session and auth logstash channels for unexpected errors, check the authevents grafana board after a few hours just in case.

Test plan for seeing if T267273: [arwiki] Submitting a POST on a form redirected to immediately after account creation sometimes logs user out was fixed, per Kosta:

re-run https://gitlab.wikimedia.org/kharlan/T267273-welcomesurvey-logout/-/blob/main/welcomesurveylogout.ipynb on Tuesday, to see what the data looks like after 24 hours of the patch being live.

In T299193#7954643, @Tgr wrote:

Test plan for seeing if T267273: [arwiki] Submitting a POST on a form redirected to immediately after account creation sometimes logs user out was fixed, per Kosta:

re-run https://gitlab.wikimedia.org/kharlan/T267273-welcomesurvey-logout/-/blob/main/welcomesurveylogout.ipynb on Tuesday, to see what the data looks like after 24 hours of the patch being live.

I updated the notebook and added a query for a single day across all wikis.

I also re-ran the notebook for April and it looks like the logout rate is about 12.7% for arwiki.

Change 799388 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.39.0-wmf.13] Tombstone the old session on SessionBackend::resetId()

https://gerrit.wikimedia.org/r/799388

gerritbot added a project: Patch-For-Review.May 25 2022, 9:33 PM

Change 800082 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] SessionManager: Add regression test for logout bug

https://gerrit.wikimedia.org/r/800082

I finally put together a regression test, and unfortunately I think the test error is genuine. The tombstone prevents SessionManager::loadSessionInfoFromStore() from unpersisting, but after that SessionManager ends up with no established session and goes into getEmptySession(), which saves the session (or more specifically it calls getSessionFromInfo() which does so), and saving an empty session makes the session provider unpersist :(

The ways I can think of to handle this:

Go back to the earlier version of the patch which, instead of discarding a tombstoned session, kept it but then ignored save & similar commands for it. This is probably the most complex approach.
Make an unpersisted SessionBackend start in a non-dirty metadata state (so there is no unpersisting), maybe in a fully non-dirty state. This seems logical but I'm not sure I fully grasp the potential consequences of the change.
Use a flag to make getSessionFromInfo() skip saving the session when it is called from getEmptySessionInternal().
Pass the tombstone flag all the way to getSessionFromInfo() so it can skip saving only in a tombstoned request.

Options 2 and 3 will prevent saving the session when it is empty and freshly created. Saving the session has two effects: the unpersisting (invalid cookies are cleaned up) and saving the session data in in-process cache (but not the real storage). Skipping the unpersisting might mean invalid (e.g. expired) session cookies stick around and prevent the user from being served from edge cache. Skipping the in-process cache probably means an extra session store read on unauthenticated requests. Neither of those seem completely inacceptable but aren't ideal either. I don't think either will actually happen, but we should be watching for them (check the Kask lookup metrics, check the appserver request volume).

Change 800860 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] SessionManage: Do not save when creating empty session

https://gerrit.wikimedia.org/r/800860

Change 800860 merged by jenkins-bot:

[mediawiki/core@master] SessionManage: Do not save when creating empty session

https://gerrit.wikimedia.org/r/800860

Change 799388 merged by jenkins-bot:

[mediawiki/core@wmf/1.39.0-wmf.13] Tombstone the old session on SessionBackend::resetId()

https://gerrit.wikimedia.org/r/799388

ReleaseTaggerBot edited projects, added MW-1.39-notes (1.39.0-wmf.13; 2022-05-23); removed MW-1.39-notes (1.39.0-wmf.14; 2022-05-30).May 31 2022, 9:00 AM

Change 801203 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.39.0-wmf.12] Tombstone the old session on SessionBackend::resetId()

https://gerrit.wikimedia.org/r/801203

Change 801203 merged by jenkins-bot:

[mediawiki/core@wmf/1.39.0-wmf.12] Tombstone the old session on SessionBackend::resetId()

https://gerrit.wikimedia.org/r/801203

ReleaseTaggerBot edited projects, added MW-1.39-notes (1.39.0-wmf.12; 2022-05-16); removed MW-1.39-notes (1.39.0-wmf.13; 2022-05-23).May 31 2022, 11:00 AM

Mentioned in SAL (#wikimedia-operations) [2022-05-31T11:01:41Z] <tgr@deploy1002> Synchronized php-1.39.0-wmf.13/includes/session: Backport: [[gerrit:799388|Tombstone the old session on SessionBackend::resetId() (T299193)]] (duration: 03m 12s)

It does not seem to be working, even in the narrow sense of fixing the bug described in this task. Steps to reproduce:

in Chrome, open the network tab
go to the login page
select the request for the login page, copy as curl, add -v > /dev/null to the end
log in (which will tombstone the session)
send the curl request
observe that the session cookie is deleted

I can confirm the tombstoned key in the session store, so the patch is doing something, but it doesn't prevent unpersisting.
On a CentralAuth wiki this is probably irrelevant as only the core session cookie is deleted, the CentralAuth cookie is not (WebResponse never issues a delete for cookies which aren't present in the request, and the login session is local) and the session can be recovered from that.

In T299193#7969827, @Tgr wrote:

It does not seem to be working, even in the narrow sense of fixing the bug described in this task. Steps to reproduce:

in Chrome, open the network tab

go to the login page

select the request for the login page, copy as curl, add -v > /dev/null to the end

log in (which will tombstone the session)

send the curl request

observe that the session cookie is deleted

I can confirm the tombstoned key in the session store, so the patch is doing something, but it doesn't prevent unpersisting.
On a CentralAuth wiki this is probably irrelevant as only the core session cookie is deleted, the CentralAuth cookie is not (WebResponse never issues a delete for cookies which aren't present in the request, and the login session is local) and the session can be recovered from that.

At least in my local environment, it fixed the issue where an unresolved HTTP request to validate password validity on Special:CreateAccount caused a logout on the next request. Of course, there are many differences between my local environment and what production users are interacting with.

Tgr mentioned this in T309616: Cross-wiki session loss on Wikimedia wikis.May 31 2022, 2:05 PM

doctaxon subscribed.May 31 2022, 2:10 PM

Not an area I'm knowledgable in at all, but while looking at T309611: Logging out automatically, I found T246943: Login failed/disappeared during 2FA which certainly feels similar.. (if only due to the MediaWiki\Session\MetadataMergeException: Key "CentralAuthSource" changed)

Change 801683 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.39.0-wmf.13] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801683

Agusbou2015 subscribed.May 31 2022, 2:33 PM

Change 801683 merged by jenkins-bot:

[mediawiki/core@wmf/1.39.0-wmf.13] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801683

Change 801748 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.39.0-wmf.14] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801748

Change 801749 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801749

Change 801748 merged by jenkins-bot:

[mediawiki/core@wmf/1.39.0-wmf.14] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801748

Caused T309616: Cross-wiki session loss on Wikimedia wikis and had to be reverted. It was disruptive enough that I felt it's better to revert quickly instead of investigating what's going on, but I did notice that the <wiki>Session and `ss0-<wiki>Session cookies had different values some of the time, which I think doesn't normally happen. (The ss0- version is for T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome.)

Since the patch only changed the behavior of session ID reset, I assume the new bug was somehow related to Special:CentralAutoLogin/setCookies (one of the few things that does a session ID reset, and the only CentralAuth-related one; and something that can happen in the background on random other wikis via edge login). Not sure how, though.

Change 801749 merged by jenkins-bot:

[mediawiki/core@master] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801749

Aklapper edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Jul 1 2022, 10:51 AM

MShilova_WMF edited parent tasks, added: T311850: [Epic] FY 2022-23 Growth Maintenance Work; removed: T304427: [Epic] Q4 FY 2021-22 Growth Maintenance Work.Jul 1 2022, 3:06 PM

kostajh mentioned this in T313884: selenium: Use Special:CreateAccount for account creation.Jul 27 2022, 5:53 AM

Moved to "needs work" as not planning to work on this right now but should be investigated later.

Unassigning so it drops off of the query here https://phabricator.wikimedia.org/maniphest/query/KYcHqzuhc5a0/

Change 800082 abandoned by Kosta Harlan:

[mediawiki/core@master] SessionManager: Add regression test for logout bug

Reason:

Abandoning per https://gerrit.wikimedia.org/r/c/mediawiki/core/+/800082/2#message-cd69a4d2444c75c6623f7713195c1b7c496e771a

https://gerrit.wikimedia.org/r/800082

@Tgr I'm moving this off our current sprint. I think we've done what we can, as far as our team's priorities and workload allow for at the moment, anyway.

kostajh moved this task from Inbox to Triaged on the Growth-Team board.Oct 17 2022, 7:57 AM

Pppery removed a project: Patch-Needs-Improvement.Jun 23 2023, 3:59 PM

kostajh mentioned this in T359405: Create temporary account early in edit cycle for all edit attempts.Apr 23 2024, 5:30 PM

Pppery changed the task status from In Progress to Open.Mon, Nov 11, 5:22 AM

MediaWiki login failure due to race condition with session cookieOpen, HighPublicBUG REPORTActions

Description

Details

Related ObjectsSearch...

Event Timeline

MediaWiki login failure due to race condition with session cookie
Open, HighPublicBUG REPORT
Actions

Related Objects
Search...