Page MenuHomePhabricator
Create Task
Maniphest T9725

Security Problem on Login with "Remember me"
Closed, DeclinedPublic
Actions

Description

Author: g9223

Description:
Login with "remember me" option isn't affected by Password changed.

  1. login with "remember me" option on "one" browser
  2. change your password on other browser
  3. you can still login with "remember me" on browser "one".

Version: 1.8.x
Severity: normal
OS: Windows XP
Platform: PC

Details

Reference
bz7725

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:23 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz7725.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Oct 27 2006, 8:57 AM
bzimport added a comment.Oct 27 2006, 8:59 AM

g9223 wrote:

with out type new passwords

brion added a comment.Oct 27 2006, 12:33 PM

I can't reproduce this with either 1.8.2 or current 1.9 dev trunk; the first browser's session becomes
invalid and subsequent page views on it are logged-out.

Lon, please confirm that you're not just seeing cached pages -- go to a new page, try editing, view
a special page such as Special:Version etc.

bzimport added a comment.Oct 28 2006, 3:08 PM

g9223 wrote:

It's the problem that the cookie data of login info is still validate on first
browser.

No matter how I modified my account data in the database, the first browser is
still allow to edit my page..

Thanks for your reply..

brion added a comment.Oct 28 2006, 9:02 PM

Lon, what you say is not true in my testing. Please provide exact directions on how to
reproduce the problem. (The directions you give above result in failure.)

bzimport added a comment.Oct 29 2006, 3:15 PM

g9223 wrote:

Sorry, I finded that the condition also happened in phpBB system. Maybe it is
just considered as a normal condition.

My condition is that I login to the wiki system with "remember me" option on my
friends' computer and forgot to logout. One day someone edit the wiki page by my
account, but I don't know who did that. Then I changed my password to prevent
this, but it wouldn't work.
So I think that it's a bug.

I don't know if it is considered as a normal condition or not..

Thanks a lot.

brion added a comment.Oct 29 2006, 5:31 PM

What wouldn't work?

As I mentioned above, the steps you describe result in the first browser being logged out as
desired. The problem does no toccur.

bzimport added a comment.Oct 29 2006, 6:46 PM

ayg wrote:

(In reply to comment #5)

My condition is that I login to the wiki system with "remember me" option on my
friends' computer and forgot to logout. One day someone edit the wiki page by my
account, but I don't know who did that. Then I changed my password to prevent
this, but it wouldn't work.
So I think that it's a bug.

Could someone have been editing from your computer, where the new password is
stored? Or from some other computer, where you didn't check "Remember me" but
didn't log out and so remained logged in for a few minutes? Or could you have
just forgotten?

Please try to *deliberately* reproduce this, by checking "remember me", changing
your password, and then trying to use the remembered password to log in from the
other computer. Brion did try that, and it didn't work, so probably your
inference as to the cause of the unexplained edits is incorrect.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL