Page MenuHomePhabricator
Create Task
Maniphest T387061

Session duration is not correctly enforced
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Log in to one of the WMF wikis, but don't choose the "remember me for 365 days" option
  • Make some edits, notice the time you did your last edit
  • Leave the browser open for more than 12 hours but less than 24 hours; in that period, don't use the browser at all
  • Return to that browser and refresh the wiki page you were on last
  • Notice if you are still logged in or not

What happens?:

  • Sometimes you stay logged in (in my experience, it is about 80% of the time); other times, you find yourself logged out

What should have happened instead?:

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia): 1.44.0-wmf.17 (1abfde3)

I am adding a WMF tag and a MW tag, because I am unsure if this is a site config issue or an underlying software issue that results in the session expiry not to be honored.

Related Objects

Event Timeline

Huji created this task.Feb 22 2025, 2:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 22 2025, 2:19 PM
Aklapper edited projects, added MediaWiki-Core-AuthManager; removed MediaWiki-Configuration.Feb 22 2025, 3:15 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptFeb 22 2025, 3:15 PM
Urbanecm subscribed.Feb 22 2025, 4:14 PM
Peachey88 removed a project: Wikimedia-Site-requests.Feb 23 2025, 3:57 AM
Tgr subscribed.Feb 24 2025, 7:57 PM

Thanks for reporting! Are you willing to do some debugging around this? If you could provide the exact timestamp for the last logged-in request and the first not-logged-in request, I could check if the logs contain anything useful.

Tgr added a comment.Feb 24 2025, 8:07 PM

Also can you check whether the cookie lifetime for the various authentication cookies (<wiki>Session, <wiki>UserName, centralauth_Session, centralauth_User) are 24+ hours as expected? And tell what browser you are using?

There are a number of things that could go wrong:

  • Kask expiry (set correctly but who knows)
  • SessionBackend::renew() doing something bad
  • the browser restricting cookie lifetime as part of anti-tracking protections (e.g. Safari ITP or Firefox ETP)
  • SessionManager deeming the session invalid for some non-expiry-related reason
Huji added a comment.Feb 24 2025, 11:16 PM
In T387061#10576766, @Tgr wrote:

Thanks for reporting! Are you willing to do some debugging around this? If you could provide the exact timestamp for the last logged-in request and the first not-logged-in request, I could check if the logs contain anything useful.

Yes I am happy to. I will have to wait for it to occur again, but I will pay attention to collect the details this time and will securely share it with you.

In T387061#10576790, @Tgr wrote:

Also can you check whether the cookie lifetime for the various authentication cookies (<wiki>Session, <wiki>UserName, centralauth_Session, centralauth_User) are 24+ hours as expected? And tell what browser you are using?

Firefox on Mac. <wiki>Session and centralauth_Session have an expiry value of "Session" (i.e. no specific date and time). <wiki>UserName and <wiki>UserID and centralauth_User have an expiry that is approximately 32 days in the future.

Huji added a comment.Feb 26 2025, 11:36 PM

@Tgr it happened again. I have provided some details in this private paste: P73705

Of note, the session ID I shared is likely a newly assigned session ID for my logged out state. There are non <wiki>Session, centralauth_Session, or centralauth_User keys in my cookies. The only key that exists is the <wiki>mwuser-sessionId which I referenced in that paste. If you need additional details, I can provide them within reason.

Huji added a comment.Feb 26 2025, 11:37 PM

Ah, it gets more complicated! Note that I was logged out when I refreshed the page. I clicked the login link, and instead of going to the login page, it logged me in! This is different from the last time I had this experience (that time, clicking on the login link took me to the login form).

Huji added a comment.Mar 4 2025, 1:08 PM

@Tgr it happened one again. This time, it didn't log me back in when I clicked on the login link. I had to properly login with my username and password. The duration of inactivity was only around 12 hours. I have updated P73705 accordingly.

Huji added a comment.Mar 6 2025, 1:36 AM

It happened again. And similar to last time, it resulted in me having to log in again. Duration of inactivity was around somewhere between 12 and 13 hours in both of these cases.

larissagaulia moved this task from Inbox, needs triage to Not planned (Patches welcome!) on the MediaWiki-Platform-Team board.Mar 10 2025, 3:32 PM
Huji added a comment.Mar 24 2025, 10:08 PM

FYI it keeps happening every few days, at random times.

Huji added a comment.Mar 25 2025, 11:19 PM

The most extreme version of it happened today, when I made an edit and literally 10 minutes later, the wiki forced me to log in again. All I did was refresh the page in the tab that was open since my edits.

Huji mentioned this in T391902: I was logged in despite a 2FA error.Apr 14 2025, 9:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits