Last modified: 2013-01-11 15:46:16 UTC
Here's an interesting problem. A user, call him Nurdsburg, who has chosen one of the non-default skin in Preferences, logs in to our wiki but does NOT check "[ ]Remember my login on this computer." After he is finished he closes the browser and/or powers off the computer. The next user starts the browser and finds our wiki all wacky today, and unless he creates an account and logs in, he can't shake off the effects of that unrelated previous user's skin choice. OK, he clicks "Log in / create account", and no matter if Log in, or create account, he is greeted with "Nurdsburg" already filled in (<input class="loginText" .. value="Nurdsburg">). It's as if we check into our hotel room only to find the previous occupant has not checked out. Well, OK, he has checked out (as we don't have ALL his cookies), but room service has not cleaned up the room. Maybe the intention is to make things a little more comfortable if Nurdsburg comes back, but I don't know of any other application that does not restore itself completely when the user logs out... which indeed Nurdsburg needs to do explicitly, leaving only cookies radioscanningtwUserName=Nurdsburg; radioscanningtwLoggedOut=20090601202502, unless he wants to mess it up for the next guy. Suggestions: I suppose the cookies are that way for a reason. Well, then at least don't use the skin of the previous logged out user, even if you still insist on filling in his name in Log in.
resolved in r58313
The proposed fix appears to be totally broken, so I'm reopening this. Jidanni, the LoggedOut cookie is there so that you *don't* see the skin from a previous user. As long as that cookie is there, the client-side cache is suppressed, by suppressing 304 response codes. If you're saying that you can see the cached HTML from a previous user *without* deleting your cookies, then please supply a trace of the relevant actions captured with LiveHTTPHeaders (remove any passwords and truncate session ID and token before posting). If you're seeing cached HTML from a previous user and you did delete your cookies, then we can't do anything about that and it's not a bug. If you're seeing uncached pages with no username in the top right corner, implying they were generated for an anonymous user, but with the wrong skin, then we will need some more details about your configuration since I can't reproduce any such thing.
It seems to be working OK now.
Ok here we go ... Clean browser (all cache and all cookies for test host removed). http://www.abakus.si/jk/jksvn-my/index.php?title=Main_Page (my MySQL install for parsertests, so don't panic about security and you can play around on it if you wish) - no cookies - default skin. Login as tester/retset without "remember me". - cookies wikidb_session=ee053cd3d36c3f479dfd3ab277ecd5d4; wikidbUserID=2; wikidbUserName=Tester - user skin Close browser, reopen, go to main-page - cookies wikidbUserID=2; wikidbUserName=Tester - user skin - top-right urls as if the user is logged in Clicking on any link produces pages as if the user is not logged in (which is correct behaviour). Clicking back to main page gives me the logged in state. Forceing main page refresh with action=purge finaly gives me correct top-right urls. Note that i have already reopened browser, clicked around the page, but the skin is still set to user preference (wrong), while the page tells me that i'm logged out (correct). Cookies are still wikidbUserID=2; wikidbUserName=Tester; wikidb_session=f3634c5dfb12193e72a6703ee0bd8b00 This is default mysql install, no variables changed after installation except $wgCookiePath and there is no proxy. Logging in and clicking log out or deleting all cookies (or waiting for cookies to timeout) returns skin back to default.
If you don't click "log out" then you don't get a LoggedOut cookie, so you don't get 304s suppressed. Is this the problem? A trace from LiveHTTPHeaders (like I asked for earlier) would help to confirm this. You're not still claiming that r58313 fixes it are you?
Created attachment 6932 [details] LiveHTTPHeaders trace Yes, problem occurs if you do not press "log out". Pressing "log out" works fine ... i never denied that. r58313 uses presence of Token (or better its absence) in session and cookie to check if the user specified in the cookie is still active, but as you explaind in your reply on code revision this procedure will not work on all setups. The correct solution would probably be to create loggedOut cookie on client if there is a UserID cookie present but there is no active session. Attaching requested LiveHTTPHeaders trace. Would appretiate pointers (or ref-cursors:)) on how to solve this ...
Updated summary.
I can confirm exactly the described behaviour using r61343, when using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) I have a feeling I see this every time, especially when 1) I didn't log out and 2) try to browse the wiki anonymously on the next day. If I login I am getting those cookies: Name wikimania2010dbUserID Value 14 Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 16:17:42 GMT Name wikimania2010dbUserName Value Saper Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 16:17:42 GMT Name wikimania2010db_session Value cebd49ddcfd2e497e24fc5826d333bb4 Host www.wikimania2010.pl Path / Secure No Expires At End Of Session After logout I return to the Monobook anonymously: Name wikimania2010dbUserID Value 14 Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 16:17:42 GMT Name wikimania2010dbUserName Value Saper Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 16:17:42 GMT Name wikimania2010db_session Value cebd49ddcfd2e497e24fc5826d333bb4 Host www.wikimania2010.pl Path / Secure No Expires At End Of Sessio (It's 18 Mar 2010 today.) I don't know *how* to reproduce this reliably. What happens is the follwing: 1) User Saper uses myskin theme 2) I have some customizations in the Special:Mypage/myskin.css 3) When I come back as anonymous, I get a "clean" myskin layout (basically mediawiki html with no frills) without my customizations (which is understandable). 4) I have checked cookies and my browser had at the time I got this effect: wikimania2010db_session wikimania2010dbUserName wikimania2010dbUserID 5) Deleting session and dbUserID didn't help. 6) Deleting dbUserName allowed me to see the default monobook again. 7) I am sure the above setup didn't have "loggedout" cookie I can achieve the same visual effect manually wherever I delete the Loggedout cookie manually after the logoff, but that doesn't count as reproducing the problem. After I logged out for a second time, I got this set of cookies: Name wikimania2010dbLoggedOut Value 20100318163206 Host www.wikimania2010.pl Path / Secure No Expires Fri, 19 Mar 2010 16:32:04 GMT Name wikimania2010dbUserName Value Saper Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 16:31:37 GMT Name wikimania2010db_session Value 291e2b7a648c257afb61f7ebd4696422 Host www.wikimania2010.pl Path / Secure No Expires At End Of Session so, dbUserID was gone but session was still there (unlike the previous attempt). I login again (and I get my customized myskin look of course): Name wikimania2010dbLoggedOut Value 20100318163206 Host www.wikimania2010.pl Path / Secure No Expires Fri, 19 Mar 2010 16:32:04 GMT Name wikimania2010dbUserID Value 14 Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 16:34:31 GMT Name wikimania2010dbUserName Value Saper Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 16:34:31 GMT Name wikimania2010db_session Value 291e2b7a648c257afb61f7ebd4696422 Host www.wikimania2010.pl Path / Secure No Expires At End Of Session This is getting crazy.... (old LoggedOut and new UserID, UserName, session cookies?) I think the problem may be related to the expiration time of the LoggedOut cookie (it's only 24 hours or something). However, I think that the browser carrying "wikimania2010dbUserName" without a valid authenticated session should influence MediaWiki behavior at all (except the login form, maybe).
> However, I think that the browser carrying "wikimania2010dbUserName" > without a valid authenticated session should influence MediaWiki behavior > at all (except the login form, maybe). "without a valid authenticated session should *NOT* influence MediaWiki"...
I just got somewhow logged out of the site; right now I am browsing as an anonymous user with the logged-in skin. It is 18-03-2010 22:16:36 localtime (UTC+1) My set of cookies: Name wikimania2010dbLoggedOut Value 20100318170524 Host www.wikimania2010.pl Path / Secure No Expires Fri, 19 Mar 2010 17:05:22 GMT Name wikimania2010dbUserID Value 14 Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 17:05:45 GMT Name wikimania2010dbUserName Value Saper Host www.wikimania2010.pl Path / Secure No Expires Sat, 17 Apr 2010 17:05:45 GMT Name wikimania2010db_session Value 291e2b7a648c257afb61f7ebd4696422 Host www.wikimania2010.pl Path / Secure No Expires At End Of Session
Jure: This report has been in ASSIGNED status for more than one year and you are set as its assignee. In case that you are not actively working on a fix, please reset the bug status to NEW/UNCONFIRMED. In case you do not plan to work on a fix in the near future: Please also edit the "Assigned To" field by clicking "Reset Assignee to default", in order to not prevent potential contributors from working on a fix. Thanks for your help! [assigned>=1y]