Page MenuHomePhabricator
Create Task
Maniphest T68699

Increase "remember me" login cookie expiry from 30 days to 1 year on Wikimedia wikis
Closed, ResolvedPublic
Actions

Assigned To
Mattflaschen-WMF
Authored By
bzimport
Jun 17 2014, 5:50 AM
Tags
Referenced Files
None
Subscribers
Aklapper
APalmer_WMF
ArielGlenn
Barfield81
Bawolff
BBlack
csteipp
View All 34 Subscribers
Tokens
"Doubloon" token, awarded by RandomDSdevel."Like" token, awarded by Deskana."Like" token, awarded by waldyrious.

Description

Scheduled: This is scheduled for this Tuesday (2016-08-16) during the 15:00 UTC SWAT window.

Author: swalling

Description:
Previously, we were required to remember a user's session information for no longer than 30 days on Wikimedia sites. The new privacy policy (https://meta.wikimedia.org/wiki/Privacy_policy) does not require such a limitation, and in fact explicitly calls out remembering logins as a use case: "...such as by using cookies to maintain your session when you log in or to remember your username in the login field."

As such, if a user checks the "keep me logged in option" on the login form, cookie expiry should be set to one year.

In practice, this will often be shorter, since users often travel across many browsers or devices, and may clear their cookies. At the very least, users who opt in to being remembered should have their sessions remembered for longer than the arbitrary 30 day limit.

See Also:
T69512: Allow concurrent "remember me" logins

Details

Reference
bz66699
SubjectRepoBranchLines +/-
Rm unused 'remembermypassword' message, doc anothermediawiki/coremaster+1 -3
Change login cookies (for 'Keep me logged in') to a one year expiry.operations/mediawiki-configmaster+1 -0
Set one year login in Beta Clusteroperations/mediawiki-configmaster+3 -0
Extended login: Don't use a $wg config variable, add UserNamemediawiki/coremaster+55 -25
Make CentralAuth explicitly say which cookies need to be extendedmediawiki/extensions/CentralAuthmaster+17 -15
Configure logged in session length independentlymediawiki/coremaster+163 -3
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
Resolved Mattflaschen-WMFT68699 Increase "remember me" login cookie expiry from 30 days to 1 year on Wikimedia wikis
ResolvedLegoktmT37707 Complete unification of all accounts to SUL
ResolvedTgrT109031 Have userlogin-remembermypassword respect extended login cookie expiration
ResolvedTgrT135504 Enable AuthManager in WMF production
Resolved Whatamidoing-WMFT143112 Announce changes to login length to the communities
· · ·

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Mpaulson added a comment.Apr 18 2016, 11:29 PM

@Mattflaschen - Has this been changed to one year now?

Mattflaschen-WMF added a comment.Apr 21 2016, 4:19 PM
In T68699#2216256, @Mpaulson wrote:

@Mattflaschen - Has this been changed to one year now?

No, it's still being worked on.

Mattflaschen-WMF closed subtask T109031: Have userlogin-remembermypassword respect extended login cookie expiration as Resolved.Jun 2 2016, 10:26 PM
Mattflaschen-WMF added a subscriber: jmatazzoni.Jun 2 2016, 10:32 PM

This is now unblocked technically, I think.

@Jdforrester-WMF @jmatazzoni What do you think? See BBlack's comment above.

Jdforrester-WMF added a comment.Jun 2 2016, 11:03 PM

From a Product POV I'd be OK with this going out. I agree somewhat that there are alternatives we can consider, but I think this would be a good move for now.

Mattflaschen-WMF added a comment.Jun 7 2016, 11:50 PM

Okay, speak now... I'll check back in about a week and if no one has objected will re-sync with Legal in order to go ahead and do it.

Mattflaschen-WMF added a comment.Jun 8 2016, 5:42 PM

This also needs to wait until AuthManager is enabled (wgDisableAuthManager false) in production.

Mattflaschen-WMF added a subtask: T135504: Enable AuthManager in WMF production.Jun 8 2016, 5:45 PM
Glaisher subscribed.Jun 8 2016, 5:49 PM
Paladox subscribed.Jun 9 2016, 12:18 PM
Anomie mentioned this in T135656: GlobalRename is broken, presumably due to authmanager changes.Jun 9 2016, 3:16 PM
Whatamidoing-WMF added a comment.Jun 9 2016, 9:05 PM

Do it do it do it do it do it please.

Okay, maybe you really do need to wait for AuthManager. But count me as an active supporter for getting this done as soon as reasonably possible, not just in the category of "silence is consent".

Tgr closed subtask T135504: Enable AuthManager in WMF production as Resolved.Jun 10 2016, 5:53 PM
gerritbot added a comment.Jun 22 2016, 4:40 PM

Change 295551 had a related patch set uploaded (by Mattflaschen):
Extended login: Don't use a $wg config variable, add UserName

https://gerrit.wikimedia.org/r/295551

gerritbot added a comment.Jun 22 2016, 4:47 PM

Change 295553 had a related patch set uploaded (by Mattflaschen):
Make CentralAuth explicitly say which cookies need to be extended

https://gerrit.wikimedia.org/r/295553

Mattflaschen-WMF added a comment.Jun 22 2016, 5:48 PM

I hit an issue where the cookies CentralAuth needed (specifically User) was not consistent with what the core variable was. We shouldn't make a CentralAuth-specific change to the core variable, and we shouldn't make end-users change the $wg, since they shouldn't need to know implementation-specific details about how the cookies are used.

So I changed how this works in those two patches. Hopefully, we can get those two, and the config change, reviewed and deployed soon.

Mattflaschen-WMF claimed this task.Jun 22 2016, 6:33 PM

With this config (testing further locally):

If you don't choose "Keep me logged in", centralauth_User, UserID and UserName (the latter only with my above patch) will have a one-year expiration. Although it will indeed not keep you logged in (due to not setting Token), this is probably not what the user would want and expect.

So I think this needs more work.

Mattflaschen-WMF added a subscriber: Research.Jun 23 2016, 1:31 PM

This may affect user_touched, which is set after the user logs in (since if people use 'Keep me logged in', they will now log in more rarely).

Tgr subscribed.Jun 23 2016, 1:54 PM
Deskana awarded a token.Jun 23 2016, 2:23 PM
gerritbot added a comment.Jun 24 2016, 5:59 PM

Change 295551 merged by jenkins-bot:
Extended login: Don't use a $wg config variable, add UserName

https://gerrit.wikimedia.org/r/295551

gerritbot added a comment.Jun 24 2016, 5:59 PM

Change 295553 merged by jenkins-bot:
Make CentralAuth explicitly say which cookies need to be extended

https://gerrit.wikimedia.org/r/295553

ReleaseTaggerBot added projects: MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-06-28_(1.28.0-wmf.8)).Jun 24 2016, 6:00 PM
matej_suchanek updated the task description. (Show Details)Jun 24 2016, 6:15 PM
Johan subscribed.Jun 30 2016, 10:11 AM

Will this go into production next week, as ReleaseTaggerBot suggests?

Jdforrester-WMF added a comment.Jun 30 2016, 10:25 AM
In T68699#2417254, @Johan wrote:

Will this go into production next week, as ReleaseTaggerBot suggests?

No. The user-facing change is https://gerrit.wikimedia.org/r/#/c/230954/ (in config) which will have immediate effect when it's merged. Not scheduled yet – if we get a final round of 'go's I think w/c 11 July would work, though.

Mattflaschen-WMF added a comment.Jul 11 2016, 8:57 PM

See https://wikitech.wikimedia.org/wiki/User:Mattflaschen/Cookies (that's a draft of the cookie info Legal needs). I will:

  • Do a final retest
  • Coordinate with @Mpaulson again
  • Notify Tech News

before putting up the config for SWAT

Any other steps?

Whatamidoing-WMF added a comment.Jul 13 2016, 6:04 PM

Other steps:

  • Tell me when to expect this.
  • Plan a party to celebrate.

Is this going to invalidate existing logins, or will it just take effect the next time that you'd have to login anyway?

Trizek-WMF subscribed.Jul 13 2016, 6:09 PM
Mattflaschen-WMF added a comment.Jul 14 2016, 1:00 AM
In T68699#2458976, @Whatamidoing-WMF wrote:

Other steps:

  • Tell me when to expect this.
  • Plan a party to celebrate.

Is this going to invalidate existing logins, or will it just take effect the next time that you'd have to login anyway?

It shouldn't affect already-logged-in sessions.

Danny_B added a project: Research.Jul 29 2016, 1:32 PM
Danny_B removed a subscriber: Research.
Mattflaschen-WMF added a project: Collab-Team-Q1-July-Sep-2016.Aug 3 2016, 12:46 AM
Krinkle unsubscribed.Aug 3 2016, 5:19 AM
DarTar subscribed.Aug 4 2016, 10:16 PM

Removing this from the #research-and-data board, since we're not planning to do any immediate work on this. Ping us if you need more help.

DarTar removed a project: Research.Aug 4 2016, 10:16 PM
Mattflaschen-WMF added a comment.Aug 10 2016, 12:00 AM

Done prep work. Checking with @Mpaulson about timing now. I would like to do it this week.

Trizek-WMF added a project: Community-Relations-Support (Jul-Sep-2016).Aug 11 2016, 7:21 AM
Trizek-WMF moved this task from Backlog to September on the Community-Relations-Support (Jul-Sep-2016) board.
Trizek-WMF moved this task from September to August on the Community-Relations-Support (Jul-Sep-2016) board.

I'm having a meeting with Matt today to see if any CL time would be nice concerning that change.

Mattflaschen-WMF added a comment.EditedAug 12 2016, 5:58 PM

I've added a page documenting this at https://www.mediawiki.org/wiki/%22Keep_me_logged_in%22_extended_to_one_year .

It is scheduled for this Tuesday (2016-08-16) during the 15:00 UTC SWAT window.

@Whatamidoing-WMF will be be helping to communicate the change.

Mattflaschen-WMF moved this task from Not ready to announce to Announce in next Tech/News on the User-notice board.Aug 12 2016, 6:00 PM
gerritbot added a comment.Aug 12 2016, 6:31 PM

Change 304493 had a related patch set uploaded (by Mattflaschen):
Rm unused 'remembermypassword' message, doc another

https://gerrit.wikimedia.org/r/304493

gerritbot added a comment.Aug 12 2016, 7:47 PM

Change 304501 had a related patch set uploaded (by Mattflaschen):
Set one year login in Beta Cluster

https://gerrit.wikimedia.org/r/304501

gerritbot added a comment.Aug 12 2016, 7:57 PM

Change 304501 merged by jenkins-bot:
Set one year login in Beta Cluster

https://gerrit.wikimedia.org/r/304501

Stashbot subscribed.Aug 12 2016, 8:03 PM

Mentioned in SAL [2016-08-12T20:03:51Z] <mattflaschen@tin> Synchronized wmf-config/CommonSettings-labs.php: T68699: Enable one-year login on Beta Cluster. Scheduled for prod on Tuesday. (duration: 00m 52s)

Mattflaschen-WMF mentioned this in T142863: On Beta Cluster, MediaWiki namespace override is inconsistently applied.Aug 12 2016, 8:32 PM
Mattflaschen-WMF added a comment.Aug 12 2016, 8:49 PM

That i18n change is not a blocker.

This is now on the Beta Cluster as well.

Mattflaschen-WMF updated the task description. (Show Details)Aug 12 2016, 8:50 PM
Tgr added a comment.EditedAug 12 2016, 9:06 PM

Thanks for making this happen, Matt!

Is there a good reason not to change userlogin-remembermypassword globally (or at least Wikimedia-globally) to show the length of the login session? That would be the most far-reaching way to communicate this change, and seems like a sensible thing to do in general.

In T68699#2548544, @Mattflaschen-WMF wrote:

I've added a page documenting this at https://www.mediawiki.org/wiki/%22Keep_me_logged_in%22_extended_to_one_year .

Maybe a good place to mention all the recent and ongoing security improvements (stronger password requirements for admins, 2FA, login, T11838)? Some people will no doubt have questions about the security effects of the change.

Mattflaschen-WMF added a comment.Aug 12 2016, 9:27 PM
In T68699#2549376, @Tgr wrote:

Is there a good reason not to change userlogin-remembermypassword globally (or at least Wikimedia-globally) to show the length of the login session? That would be the most far-reaching way to communicate this change, and seems like a sensible thing to do in general.

I would prefer not to. The downside is that it makes the login form more busy, when we've put a lot of effort into keeping it simple. And it just doesn't seem like users need or expect that level of information on the login screen. Let's take any further discussion to T49694: "Remember me" on Login interface should state duration (where there has been extensive discussion already).

Maybe a good place to mention all the recent and ongoing security improvements (stronger password requirements for admins, 2FA, login, T11838)? Some people will no doubt have questions about the security effects of the change.

Could you do a "see also", so we can keep that particular page short (and thus readable and easy-to-translate)?

Liuxinyu970226 moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Aug 13 2016, 1:17 AM
Tgr mentioned this in T49694: "Remember me" on Login interface should state duration.Aug 13 2016, 2:10 AM
Tgr added a comment.Aug 13 2016, 2:52 AM
In T68699#2549403, @Mattflaschen-WMF wrote:

Could you do a "see also", so we can keep that particular page short (and thus readable and easy-to-translate)?

Thought about that a bit more and decided they are not all that relevant (they are about protecting login, not protecting being logged in).

MZMcBride added a comment.Aug 13 2016, 10:38 PM
In T68699#2450022, @Mattflaschen-WMF wrote:

Any other steps?

csteipp, BBlack, and Krinkle expressed concerns about the approach being taken here (cf. T68699#696077, T68699#1534649, and T68699#696227). I think we should make sure that there are separate follow-up Phabricator Maniphest tasks to track the additional work needed here so that those concerns don't get overlooked.

TerraCodes subscribed.Aug 15 2016, 4:02 AM
Mattflaschen-WMF mentioned this in T143014: Search not finding task (using two search terms being in the description, and one term being in a comment).Aug 15 2016, 5:53 PM
Mattflaschen-WMF mentioned this in T143015: Consider different "keep me logged in" login lengths for different user groups.Aug 15 2016, 5:55 PM
Mattflaschen-WMF mentioned this in T143019: Consider alternative cookie schemes for keeping users logged in.Aug 15 2016, 6:06 PM
Mattflaschen-WMF added a comment.Aug 15 2016, 6:11 PM
In T68699#2551245, @MZMcBride wrote:

csteipp, BBlack, and Krinkle expressed concerns about the approach being taken here (cf. T68699#696077, T68699#1534649, and T68699#696227). I think we should make sure that there are separate follow-up Phabricator Maniphest tasks to track the additional work needed here so that those concerns don't get overlooked.

@csteipp did OK the current approach (T68699#696127), though. I filed T143015: Consider different "keep me logged in" login lengths for different user groups as a follow up task.

The other part is part-technical, part-product, and it's not clear if and what we want to do there. But I've filed T143019: Consider alternative cookie schemes for keeping users logged in.

Catrope moved this task from Untriaged to In Development on the Collab-Team-Q1-July-Sep-2016 board.Aug 15 2016, 9:14 PM
gerritbot added a comment.Aug 16 2016, 3:04 PM

Change 230954 merged by jenkins-bot:
Change login cookies (for 'Keep me logged in') to a one year expiry.

https://gerrit.wikimedia.org/r/230954

Stashbot added a comment.Aug 16 2016, 3:14 PM

Mentioned in SAL [2016-08-16T15:14:28Z] <thcipriani@tin> Synchronized wmf-config/CommonSettings.php: SWAT: [[gerrit:230954|Change login cookies (for "Keep me logged in") to a one year expiry. (T68699)]] (duration: 01m 08s)

Whatamidoing-WMF created subtask T143112: Announce changes to login length to the communities.Aug 16 2016, 3:22 PM
Mattflaschen-WMF added a comment.Aug 16 2016, 4:51 PM

I noticed that the loginwiki centralauth_User cookie still gets set to a month-one expiration (the centralauth_User cookies on the individual sites are a full year).

This doesn't seem to affect the other cookies, though. I set my clock into the future, and I am still logged in. Also, even this central cookie is getting set to the full year later.

So everything seems to be working.

Mattflaschen-WMF moved this task from In Development to QA Review on the Collab-Team-Q1-July-Sep-2016 board.Aug 16 2016, 5:22 PM
Jdforrester-WMF closed this task as Resolved.Aug 16 2016, 5:30 PM

All looks good to me, too.

Thanks Matt, and everyone who helped!

Liuxinyu970226 unsubscribed.Aug 16 2016, 11:32 PM
Tgr added a comment.Aug 17 2016, 3:10 AM
In T68699#2557657, @Mattflaschen-WMF wrote:

I noticed that the loginwiki centralauth_User cookie still gets set to a month-one expiration (the centralauth_User cookies on the individual sites are a full year).

Works for me. Are you looking at the right request? It's set on the request to Special:CentralAutoLogin/refreshCookies (see SpecialCentralLogin::doLoginStart, the part with the comment Start an unusable placeholder session stub and send a cookie, and SpecialCentralAutoLogin::execute, under case 'refreshCookies').

Whatamidoing-WMF added a comment.Aug 17 2016, 9:15 AM

@Mpaulson , I believe that https://meta.wikimedia.org/wiki/Privacy_policy/FAQ#cookieFAQ still needs to be updated. Is this on your calendar?

Mpaulson added subscribers: APalmer_WMF, WhatamIdoing.Aug 17 2016, 5:31 PM

@Mattflaschen-WMF @WhatamIdoing @APalmer_WMF - Matt should be working with Aeryn to update the various cookie documents to 1 year. When is it going to be changed over?

APalmer_WMF added a comment.Aug 17 2016, 5:43 PM

@Mattflaschen-WMF @Whatamidoing-WMF @Mpaulson The updates are complete.

RandomDSdevel awarded a token.Aug 17 2016, 9:56 PM
Johan moved this task from In current Tech/News draft to Recently announced in Tech/News on the User-notice board.Aug 18 2016, 4:22 AM
WhatamIdoing unsubscribed.Aug 18 2016, 10:53 AM
Whatamidoing-WMF added a comment.Aug 18 2016, 10:55 AM
In T68699#2561424, @Mpaulson wrote:

When is it going to be changed over?

It happened on Tuesday, 16 August 2016 at 15:14 UTC (8:14 a.m. PDT).

Platonides subscribed.Aug 23 2016, 11:10 PM
In T68699#696214, @Mattflaschen-WMF wrote:

There's also a benefit if the user (think of new users especially) forgets their password, especially since we don't require an email.

It's common for there to be a tension between security and convenience.

Actually, I think there is a potential trap there:

  • New user creates a wikipedia account to make some minor fixes, he doesn't provide an email address (or mistypes it).
  • He actually gets hooked and starts editing heavily.
  • After 6-8 months, due to some local changes (eg. related to a browser update), his session expires.
  • User doesn't remember the password he made up 8 months ago and used only once. However, he has now invested a more significantt effort on wikimedia under his now-lost username.
  • If he had been logged out after a week, it would be easier to remember the password and also less traumatic to start again.
Whatamidoing-WMF closed subtask T143112: Announce changes to login length to the communities as Resolved.Aug 24 2016, 8:37 AM
Johan moved this task from Recently announced in Tech/News to Already announced/Archive on the User-notice board.Aug 24 2016, 10:04 PM
gerritbot added a comment.Sep 6 2016, 9:20 PM

Change 304493 merged by jenkins-bot:
Rm unused 'remembermypassword' message, doc another

https://gerrit.wikimedia.org/r/304493

ReleaseTaggerBot added a project: MW-1.28-release (WMF-deploy-2016-09-13_(1.28.0-wmf.19)).Sep 6 2016, 10:00 PM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.Dec 15 2016, 4:21 PM
Quiddity mentioned this in T151770: Frequent loss of session data in Firefox (since around 2016-11-28).Feb 27 2017, 10:35 PM
Aklapper mentioned this in T104326: Numerous sv.wp users get repeatedly logged out again.Apr 26 2017, 6:25 PM
Barfield81 subscribed.Sep 28 2019, 11:55 PM
Aklapper removed subscribers: DarTar, jmatazzoni, Anomie and 4 others.Oct 16 2020, 5:42 PM
Ladsgroup edited projects, added User-notice-archive; removed MW-1.28-release (WMF-deploy-2016-09-13_(1.28.0-wmf.19)), User-notice.Aug 13 2022, 1:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL