Page MenuHomePhabricator
Create Task
Maniphest T309625

Investigate whether cookie blocks are working properly 4H
Closed, ResolvedPublic
Actions

Assigned To
AGueyte
Authored By
Tchanders
May 31 2022, 2:49 PM
Tags
Referenced Files
F35237630: Screen Shot 2022-06-13 at 2.30.22 PM.png
Jun 13 2022, 9:47 PM
F35237640: Screen Shot 2022-06-13 at 2.40.33 PM.png
Jun 13 2022, 9:47 PM
F35237628: Screen Shot 2022-06-13 at 2.30.15 PM.png
Jun 13 2022, 9:47 PM
F35237632: Screen Shot 2022-06-13 at 2.33.37 PM.png
Jun 13 2022, 9:47 PM
F35237636: Screen Shot 2022-06-13 at 2.39.22 PM.png
Jun 13 2022, 9:47 PM
F35237637: Screen Shot 2022-06-13 at 2.38.30 PM.png
Jun 13 2022, 9:47 PM
Subscribers
Aklapper
Ladsgroup
Niharika
Tchanders

Description

We've had some reports from admins that they are suspicious that cookie blocks may not be working as intended.

We should do some testing to check whether cookie blocks are added in the situations described in the documentation for CookieSetOnAutoblock and CookieSetOnIpBlock: https://gerrit.wikimedia.org/g/mediawiki/core/+/07f26c8efe46f8e95198fb559c8d2e8312034996/includes/MainConfigSchema.php#8809

We can test this locally, on beta and on testwiki by blocking our own accounts and checking cookies.

Related Objects

Event Timeline

Tchanders created this task.May 31 2022, 2:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 31 2022, 2:49 PM
Tchanders moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.May 31 2022, 2:49 PM
Tchanders renamed this task from Investigate whether cookie blocks are working properly to Investigate whether cookie blocks are working properly 4H.Jun 6 2022, 7:40 PM
Tchanders moved this task from Triage/To be Estimated to AHaT Sprint 9: The Beret on the Anti-Harassment board.
Tchanders edited projects, added Anti-Harassment (AHaT Sprint 9: The Beret); removed Anti-Harassment.
AGueyte claimed this task.Jun 9 2022, 7:37 PM
AGueyte moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (AHaT Sprint 9: The Beret) board.
AGueyte added a comment.Jun 10 2022, 2:02 PM

Hi, I have been investigating this matter, blocking an IP address from my admin account and I can confirm that "blocked user, even after logging out and moving to a new IP address, will still be blocked" on my local instance and on beta.

A wikiBlockID cookie remains as I change my IP address.

I notice that when I log in to a different account, the cookie is gone.
I also notice when I log out from this account, the cookie does not reappear when visiting the website even though I'm still using the blocked IP address.

It reappears when I try to edit a page.

AGueyte moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 9: The Beret) board.Jun 10 2022, 2:08 PM
Tchanders added a subscriber: Ladsgroup.Jun 10 2022, 2:14 PM

@AGueyte Thanks - this sounds like the correct behaviour. Just to confirm, does the cookie get added in both the following situations?

  • When blocking an IP address with CookieSetOnIpBlock true
  • When auto-blocking a user account (i.e. with Automatically block the last IP address used by this user[...] checked) with CookieSetOnAutoblock true

Also, would it be possible to double-check that it's not possible to edit while the cookie is set?

@Ladsgroup I think you suspected cookie blocks may not be working. Was there something in particular that you thought might be wrong?

Ladsgroup added a comment.Jun 12 2022, 1:09 PM

Thanks. I actually think I now know what I thought is missing.

We have lots of returning vandals who come back under a new username when we block their accounts indefinitely and I want them to stay blocked but it seems they simply create a new account and come back. Unless I misunderstanding this:

I notice that when I log in to a different account, the cookie is gone.

I highly think autoblock must block thee user that tries to login with a new account. For complicated cases of shared devices, it's either WP:MEAT and they should stay blocked or we can unblock the block # (something we do with IPs quite often and it's by design more of problem in IPs than shared devices).

Do you think it would be possible to implement that? I can write pages explaining why this is important.

AGueyte moved this task from Code Review 🔍 to In Progress 💪 on the Anti-Harassment (AHaT Sprint 9: The Beret) board.Jun 13 2022, 5:04 PM
AGueyte added a comment.Jun 13 2022, 9:47 PM

Confirming the blockID cookie showing up when
When blocking an IP address with CookieSetOnIpBlock true
When auto-blocking a user account (i.e. with Automatically block the last IP address used by this user[...] checked) with CookieSetOnAutoblock true

Scenario:
From my admin account AGueyte, I blocked IP Address 90.132.88.33, an IP that I'm currently using, and checked the box to block all users from this IP address
The moment I'm blocking it, my cookies change from:

Screen Shot 2022-06-13 at 2.30.22 PM.png (274×1 px, 53 KB)

to:
Screen Shot 2022-06-13 at 2.30.15 PM.png (370×1 px, 78 KB)

As I log out of my admin account AGueyte and am visting to the Special:Log page from the blocked IP 90.132.88.33, the blockID cookie shows.

Screen Shot 2022-06-13 at 2.33.37 PM.png (234×1 px, 49 KB)

Confirming that I cannot edit any pages on that blocked IP address

Screen Shot 2022-06-13 at 2.38.30 PM.png (1×1 px, 216 KB)

Screen Shot 2022-06-13 at 2.39.22 PM.png (796×2 px, 221 KB)

As I log in to another account, TorontoTest, my blockID cookie disappears but I still cannot edit a page, I still use the same IP Address.

Screen Shot 2022-06-13 at 2.40.33 PM.png (1×1 px, 242 KB)

If I empty my cookie from my Chrome settings, I'm automatically logged out but my blockID cookie is showing up again as I'm back onto the blocked IPaddress and I cannot make an edit.

Let me know if you'd like me to explore another scenario!
Thank you

Tchanders added a subscriber: Niharika.Jun 14 2022, 1:52 PM
In T309625#7996939, @Ladsgroup wrote:

Thanks. I actually think I now know what I thought is missing.

We have lots of returning vandals who come back under a new username when we block their accounts indefinitely and I want them to stay blocked but it seems they simply create a new account and come back. Unless I misunderstanding this:

I notice that when I log in to a different account, the cookie is gone.

I highly think autoblock must block thee user that tries to login with a new account. For complicated cases of shared devices, it's either WP:MEAT and they should stay blocked or we can unblock the block # (something we do with IPs quite often and it's by design more of problem in IPs than shared devices).

Do you think it would be possible to implement that? I can write pages explaining why this is important.

@Ladsgroup Thanks for clarifying. If a user is autoblocked with account creation disabled, this should prevent them from creating an account from any of the autoblocked IP addresses (I just tested that this works locally). However, autoblocks only last for one day. Could that be the problem?

Pinging @Niharika too since we seem to be discussing a new feature request potentially.

Tchanders moved this task from In Progress 💪 to Done Q4 2022 on the Anti-Harassment (AHaT Sprint 9: The Beret) board.Jun 14 2022, 1:53 PM

Moving this to Done for the purposes of investigating wither cookie blocks are working - thanks @AGueyte

Niharika added a comment.Jul 26 2022, 1:42 PM

Thanks for the investigation @AGueyte and @Tchanders.

@Ladsgroup the idea makes sense to me but I think we should run it by the community before making this change as it will be effectively invisible in the interface. I don't want to assume this seems obvious to everyone. Can you please file a ticket for requesting this feature? I'll see what I can do about kick starting a community discussion. Thanks!

Niharika closed this task as Resolved.Jul 26 2022, 1:42 PM
Ladsgroup added a comment.Jul 29 2022, 6:08 PM
In T309625#8104591, @Niharika wrote:

@Ladsgroup the idea makes sense to me but I think we should run it by the community before making this change as it will be effectively invisible in the interface. I don't want to assume this seems obvious to everyone. Can you please file a ticket for requesting this feature? I'll see what I can do about kick starting a community discussion. Thanks!

Sure thing 🎉

Ladsgroup mentioned this in T314174: Expand cookie blocking to enforce existing blocks with the same duration.Jul 29 2022, 6:38 PM

T314174: Expand cookie blocking to enforce existing blocks with the same duration

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL