Change Details

Certain pages must be used shortly after login; if that's not the case, the user is asked to reauthenticate. (See [[https://www.mediawiki.org/wiki/Manual:$wgReauthenticateTime|$wgReauthenticateTime]].) This is to prevent an attacker from stealing a session cookie and then e.g. changing the password. Since some of the "login" logic is shared between login and autocreation (specifically they both call `AuthManager::setSessionDataForUser()`, which is the method that sets the `AuthManager:lastAuthTimestamp` field in session data, which will be used for reauthentication checks), AuthManager ends up considering autocreation the same way as login. This means an attacker who got hold of a CentralAuth session cookie (valid on any wiki) can just visit a wiki where the user has no local account yet, get an account autocreated, and then change credentials or perform other sensitive operations.

Certain pages must be used shortly after login; if that's not the case, the user is asked to reauthenticate. (See [[https://www.mediawiki.org/wiki/Manual:$wgReauthenticateTime|$wgReauthenticateTime]].) This is to prevent an attacker from stealing a session cookie and then e.g. changing the password. Since some of the "login" logic is shared between login and autocreation (specifically they both call `AuthManager::setSessionDataForUser()`, which is the method that sets the `AuthManager:lastAuthTimestamp` field in session data, which will be used for reauthentication checks), AuthManager ends up considering autocreation the same way as login. This means an attacker who got hold of a CentralAuth session cookie (valid on any wiki) can just visit a wiki where the user has no local account yet, get an account autocreated, and then change credentials or perform other sensitive operations. See also {T389010}.

Certain pages must be used shortly after login; if that's not the case, the user is asked to reauthenticate. (See [[https://www.mediawiki.org/wiki/Manual:$wgReauthenticateTime|$wgReauthenticateTime]].) This is to prevent an attacker from stealing a session cookie and then e.g. changing the password. Since some of the "login" logic is shared between login and autocreation (specifically they both call `AuthManager::setSessionDataForUser()`, which is the method that sets the `AuthManager:lastAuthTimestamp` field in session data, which will be used for reauthentication checks), AuthManager ends up considering autocreation the same way as login. This means an attacker who got hold of a CentralAuth session cookie (valid on any wiki) can just visit a wiki where the user has no local account yet, get an account autocreated, and then change credentials or perform other sensitive operations. See also {T389010}.