Page MenuHomePhabricator
Create Task
Maniphest T358687

"New device" email sent if cookie has expired
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Delete the loginnotify_prevlogins cookie (or wait until it expires)
  • Go to Special:Preferences and click Change Password
  • You are asked to log in with your existing password, even if you have an active session

What happens?:

Login-Notify sends you an email saying "Someone (probably you) recently logged in to your account from a new device."

What should have happened instead?:

No email is sent.

Software version (skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

This happened to me today when I changed my wikitech password. Wikitech seems to set a 6-month expiration for the loginnotify_prevlogins cookie, while enwiki seems to set a 2-year one.

I could reproduce the issue by deleting the cookie loginnotify_prevlogins then clicking on "Change password" again.

Related Objects

Event Timeline

fnegri created this task.Feb 28 2024, 4:49 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptFeb 28 2024, 4:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
fnegri added a comment.Apr 2 2024, 8:48 AM

Adding some more details:

I’m not 100% sure it’s a bug, but it sure was confusing because it gave me the feeling there was a security risk (someone else logging in with my account). So I would suggest at least rewording the message.

I was also curious to hear the opinion of someone who knows the codebase, and might have a better idea if this was intended behaviour, or an edge case that wasn’t considered.

The “weird” behaviour is that the login cookie was still valid, so I could use wikitech just fine with my account, but when I went to change my password, I received that email, and I thought: I’ve been using this device all day, so what “new device” is it talking about? :)

tstarling subscribed.Apr 3 2024, 10:29 PM

This should only happen if your IP address is in a /24 subnet (or /64 for IPv6) that hasn't been used for login in the past 80 days. Can you comment on whether that is likely to be the case?

If the subnet is unknown and there is no cookie, then yes, we send a notification.

The cookie expiration should be 6 months everywhere.

Arguably you are on a known device if you are already logged in and clicking the "change password" button. You could call that a bug. You could say we're not saving the subnet or refreshing the cookie often enough.

Regarding the wording of the email, that could be discussed on T194385.

fnegri added a comment.Apr 4 2024, 9:20 AM

This should only happen if your IP address is in a /24 subnet (or /64 for IPv6) that hasn't been used for login in the past 80 days. Can you comment on whether that is likely to be the case?

Yes, before changing the password and receiving the email I don't recall logging in for quite a long time. So it's very likely my last login prior to receiving the message was more than 80 days before. Maybe from the same IP, or maybe from a completely different one.

Arguably you are on a known device if you are already logged in and clicking the "change password" button. You could call that a bug. You could say we're not saving the subnet or refreshing the cookie often enough.

That's exactly my point, not a serious bug, but probably still a bug?

fnegri updated the task description. (Show Details)Apr 4 2024, 9:26 AM

The cookie expiration should be 6 months everywhere.

Yes, sorry, I just re-tested this by logging in again to enwiki:

Last Accessed:"Thu, 04 Apr 2024 09:22:58 GMT"
Expires / Max-Age:"Tue, 01 Oct 2024 09:22:58 GMT"
Created:"Mon, 29 Aug 2022 09:26:56 GMT"

The last time I checked, I was confused by the "Created" timestamp in 2022 and assumed the cookie had a longer expiration time, I've edited the task description.

JWheeler-WMF moved this task from New & TBD Tickets to Needs Discussion on the Community-Tech board.Apr 17 2024, 8:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL