Page MenuHomePhabricator
Create Task
Maniphest T21048

304 (not modified) responses not suppressed after user session expires
Open, MediumPublic
Actions

Description

Here's an interesting problem. A user, call him Nurdsburg, who has
chosen one of the non-default skin in Preferences, logs in to our wiki
but does NOT check "[ ]Remember my login on this computer." After he is
finished he closes the browser and/or powers off the computer.

The next user starts the browser and finds our wiki all wacky today,
and unless he creates an account and logs in, he can't shake off the
effects of that unrelated previous user's skin choice.

OK, he clicks "Log in / create account", and no matter if Log in, or
create account, he is greeted with "Nurdsburg" already filled in
(<input class="loginText" .. value="Nurdsburg">).

It's as if we check into our hotel room only to find the previous
occupant has not checked out.

Well, OK, he has checked out (as we don't have ALL his cookies), but
room service has not cleaned up the room.

Maybe the intention is to make things a little more comfortable if
Nurdsburg comes back, but I don't know of any other application that
does not restore itself completely when the user logs out...
which indeed Nurdsburg needs to do explicitly, leaving only cookies
radioscanningtwUserName=Nurdsburg; radioscanningtwLoggedOut=20090601202502,
unless he wants to mess it up for the next guy.

Suggestions: I suppose the cookies are that way for a reason. Well, then
at least don't use the skin of the previous logged out user,
even if you still insist on filling in his name in Log in.

Version: 1.16.x
Severity: normal

Details

Reference
bz19048

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:39 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz19048.
bzimport added a subscriber: Unknown Object (MLST).
Jidanni created this task.Jun 2 2009, 12:25 AM
bzimport added a comment.Oct 29 2009, 2:19 PM

freak wrote:

resolved in r58313

tstarling added a comment.Jan 5 2010, 2:51 AM

The proposed fix appears to be totally broken, so I'm reopening this.

Jidanni, the LoggedOut cookie is there so that you *don't* see the skin from a previous user. As long as that cookie is there, the client-side cache is suppressed, by suppressing 304 response codes. If you're saying that you can see the cached HTML from a previous user *without* deleting your cookies, then please supply a trace of the relevant actions captured with LiveHTTPHeaders (remove any passwords and truncate session ID and token before posting).

If you're seeing cached HTML from a previous user and you did delete your cookies, then we can't do anything about that and it's not a bug.

If you're seeing uncached pages with no username in the top right corner, implying they were generated for an anonymous user, but with the wrong skin, then we will need some more details about your configuration since I can't reproduce any such thing.

Jidanni added a comment.Jan 5 2010, 4:09 AM

It seems to be working OK now.

bzimport added a comment.Jan 7 2010, 1:27 PM

freak wrote:

Ok here we go ...
Clean browser (all cache and all cookies for test host removed).

http://www.abakus.si/jk/jksvn-my/index.php?title=Main_Page (my MySQL install for parsertests, so don't panic about security and you can play around on it if you wish)

  • no cookies
  • default skin.

Login as tester/retset without "remember me".

  • cookies wikidb_session=ee053cd3d36c3f479dfd3ab277ecd5d4; wikidbUserID=2; wikidbUserName=Tester
  • user skin

Close browser, reopen, go to main-page

  • cookies wikidbUserID=2; wikidbUserName=Tester
  • user skin
  • top-right urls as if the user is logged in

Clicking on any link produces pages as if the user is not logged in (which is correct behaviour).
Clicking back to main page gives me the logged in state.
Forceing main page refresh with action=purge finaly gives me correct top-right urls.

Note that i have already reopened browser, clicked around the page, but the skin is still set to user preference (wrong), while the page tells me that i'm logged out (correct).
Cookies are still wikidbUserID=2; wikidbUserName=Tester; wikidb_session=f3634c5dfb12193e72a6703ee0bd8b00

This is default mysql install, no variables changed after installation except $wgCookiePath and there is no proxy.

Logging in and clicking log out or deleting all cookies (or waiting for cookies to timeout) returns skin back to default.

tstarling added a comment.Jan 7 2010, 2:04 PM

If you don't click "log out" then you don't get a LoggedOut cookie, so you don't get 304s suppressed. Is this the problem? A trace from LiveHTTPHeaders (like I asked for earlier) would help to confirm this.

You're not still claiming that r58313 fixes it are you?

bzimport added a comment.Jan 7 2010, 2:27 PM

freak wrote:

LiveHTTPHeaders trace

Yes, problem occurs if you do not press "log out". Pressing "log out" works fine ... i never denied that.

r58313 uses presence of Token (or better its absence) in session and cookie to check if the user specified in the cookie is still active, but as you explaind in your reply on code revision this procedure will not work on all setups.

The correct solution would probably be to create loggedOut cookie on client if there is a UserID cookie present but there is no active session.

Attaching requested LiveHTTPHeaders trace. Would appretiate pointers (or ref-cursors:)) on how to solve this ...

Attached:

headers_trace.tar.gz2 KBDownload

tstarling added a comment.Jan 7 2010, 11:02 PM

Updated summary.

saper added a comment.Mar 18 2010, 4:39 PM

I can confirm exactly the described behaviour using r61343, when using

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

I have a feeling I see this every time, especially when 1) I didn't log out
and 2) try to browse the wiki anonymously on the next day.

If I login I am getting those cookies:

Name wikimania2010dbUserID
Value 14
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 16:17:42 GMT

Name wikimania2010dbUserName
Value Saper
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 16:17:42 GMT

Name wikimania2010db_session
Value cebd49ddcfd2e497e24fc5826d333bb4
Host www.wikimania2010.pl
Path /
Secure No
Expires At End Of Session

After logout I return to the Monobook anonymously:

Name wikimania2010dbUserID
Value 14
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 16:17:42 GMT

Name wikimania2010dbUserName
Value Saper
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 16:17:42 GMT

Name wikimania2010db_session
Value cebd49ddcfd2e497e24fc5826d333bb4
Host www.wikimania2010.pl
Path /
Secure No
Expires At End Of Sessio

(It's 18 Mar 2010 today.)

I don't know *how* to reproduce this reliably. What happens is the follwing:

  1. User Saper uses myskin theme
  2. I have some customizations in the Special:Mypage/myskin.css
  3. When I come back as anonymous, I get a "clean" myskin layout (basically mediawiki html with no frills) without my customizations (which is understandable).
  4. I have checked cookies and my browser had at the time I got this effect:

wikimania2010db_session
wikimania2010dbUserName
wikimania2010dbUserID

  1. Deleting session and dbUserID didn't help.
  2. Deleting dbUserName allowed me to see the default monobook again.
  3. I am sure the above setup didn't have "loggedout" cookie

I can achieve the same visual effect manually wherever I delete the Loggedout cookie manually after the logoff, but that doesn't count as reproducing the problem.

After I logged out for a second time, I got this set of cookies:

Name wikimania2010dbLoggedOut
Value 20100318163206
Host www.wikimania2010.pl
Path /
Secure No
Expires Fri, 19 Mar 2010 16:32:04 GMT

Name wikimania2010dbUserName
Value Saper
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 16:31:37 GMT

Name wikimania2010db_session
Value 291e2b7a648c257afb61f7ebd4696422
Host www.wikimania2010.pl
Path /
Secure No
Expires At End Of Session

so, dbUserID was gone but session was still there (unlike the previous attempt).

I login again (and I get my customized myskin look of course):

Name wikimania2010dbLoggedOut
Value 20100318163206
Host www.wikimania2010.pl
Path /
Secure No
Expires Fri, 19 Mar 2010 16:32:04 GMT

Name wikimania2010dbUserID
Value 14
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 16:34:31 GMT

Name wikimania2010dbUserName
Value Saper
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 16:34:31 GMT

Name wikimania2010db_session
Value 291e2b7a648c257afb61f7ebd4696422
Host www.wikimania2010.pl
Path /
Secure No
Expires At End Of Session

This is getting crazy.... (old LoggedOut and new UserID, UserName, session
cookies?)

I think the problem may be related to the expiration time of the LoggedOut cookie (it's only 24 hours or something).

However, I think that the browser carrying "wikimania2010dbUserName"
without a valid authenticated session should influence MediaWiki behavior
at all (except the login form, maybe).

saper added a comment.Mar 18 2010, 4:40 PM

However, I think that the browser carrying "wikimania2010dbUserName"
without a valid authenticated session should influence MediaWiki behavior
at all (except the login form, maybe).

"without a valid authenticated session should *NOT* influence MediaWiki"...

saper added a comment.Mar 18 2010, 9:19 PM

I just got somewhow logged out of the site; right now I am browsing as an anonymous user with the logged-in skin.

It is 18-03-2010 22:16:36 localtime (UTC+1)

My set of cookies:

Name wikimania2010dbLoggedOut
Value 20100318170524
Host www.wikimania2010.pl
Path /
Secure No
Expires Fri, 19 Mar 2010 17:05:22 GMT

Name wikimania2010dbUserID
Value 14
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 17:05:45 GMT

Name wikimania2010dbUserName
Value Saper
Host www.wikimania2010.pl
Path /
Secure No
Expires Sat, 17 Apr 2010 17:05:45 GMT

Name wikimania2010db_session
Value 291e2b7a648c257afb61f7ebd4696422
Host www.wikimania2010.pl
Path /
Secure No
Expires At End Of Session

Aklapper added a comment.Jan 9 2013, 1:14 PM

Jure:
This report has been in ASSIGNED status for more than one year and you are set as its assignee. In case that you are not actively working on a fix, please reset the bug status to NEW/UNCONFIRMED.
In case you do not plan to work on a fix in the near future: Please also edit the "Assigned To" field by clicking "Reset Assignee to default", in order to not prevent potential contributors from working on a fix. Thanks for your help!
[assigned>=1y]

Meno25 unsubscribed.Nov 23 2018, 7:56 AM
Restricted Application added a subscriber: Sadads. · View Herald TranscriptNov 23 2018, 7:56 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL