Change Details

Three reports so far: * Matiia was recognized as Schexnayder on commonswiki on 2016-01-29 * Matanya as Pas99 on hewiki on 2016-01-30 * FallingGravity as 023yangbo on enwiki on 2016-02-22 Outreach/report collection task is {T126069}. Hypotheses so far: * Set-Cookie header gets cached (has happened in past) ** SessionManager emits Set-Cookie in some cases old code did not (when `$wgUser` is not unstubbed during the request, or when cookies are inconsistent in certain ways) ** varnish nukes everything with a Set-Cookie, but has an exception for Special:HideBanner ** all pages should vary on cookie, and they should set `Cache-control: private` if the session is persisted (and it must be persisted if Set-Cookie is output for session things). RawAction did not do that (now patched), load.php and similar secondary endpoints still don't. ** if Set-Cookie gets cached, shouldn't there be lots of incidents with the same user? * job runner does multiple importScopedSession calls in same request which somehow leak through ** doesn't seem to be any leak Other things looked at: * no obvious pattern in user ids (such as having the same id on different wikis) * session id generation was guarded with an extra check in case there is some sort of random generator failure, that didn't help

Three reports so far: * Matiia was recognized as Schexnayder on commonswiki on 2016-01-29 * Matanya as Pas99 on hewiki on 2016-01-30 * FallingGravity as 023yangbo on enwiki on 2016-02-22 Outreach/report collection task is {T126069}. Hypotheses so far: * Set-Cookie header gets cached (has happened in past) ** SessionManager emits Set-Cookie in some cases old code did not (when `$wgUser` is not unstubbed during the request, or when cookies are inconsistent in certain ways) ** varnish nukes everything with a Set-Cookie, but has an exception for Special:HideBanner ** all pages should vary on cookie, and they should set `Cache-control: private` if the session is persisted (and it must be persisted if Set-Cookie is output for session things). RawAction did not do that (now patched), load.php and similar secondary endpoints still don't. ** if Set-Cookie gets cached, shouldn't there be lots of incidents with the same user? * job runner does multiple importScopedSession calls in same request which somehow leak through ** doesn't seem to be any leak Other things looked at: * no obvious pattern in user ids (such as having the same id on different wikis) * session id generation was guarded with an extra check in case there is some sort of random generator failure, that didn't help * added logging for same session or user account being used from lots of different IPs simultaneously, didn't find anything interesting

Three reports so far: * Matiia was recognized as Schexnayder on commonswiki on 2016-01-29 * Matanya as Pas99 on hewiki on 2016-01-30 * FallingGravity as 023yangbo on enwiki on 2016-02-22 Outreach/report collection task is {T126069}. Hypotheses so far: * Set-Cookie header gets cached (has happened in past) ** SessionManager emits Set-Cookie in some cases old code did not (when `$wgUser` is not unstubbed during the request, or when cookies are inconsistent in certain ways) ** varnish nukes everything with a Set-Cookie, but has an exception for Special:HideBanner ** all pages should vary on cookie, and they should set `Cache-control: private` if the session is persisted (and it must be persisted if Set-Cookie is output for session things). RawAction did not do that (now patched), load.php and similar secondary endpoints still don't. ** if Set-Cookie gets cached, shouldn't there be lots of incidents with the same user? * job runner does multiple importScopedSession calls in same request which somehow leak through ** doesn't seem to be any leak Other things looked at: * no obvious pattern in user ids (such as having the same id on different wikis) * session id generation was guarded with an extra check in case there is some sort of random generator failure, that didn't help * added logging for same session or user account being used from lots of different IPs simultaneously, didn't find anything interesting