Last modified: 2013-01-11 15:46:16 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T21048, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 19048 - 304 (not modified) responses not suppressed after user session expires
304 (not modified) responses not suppressed after user session expires
Status: NEW
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.16.x
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-02 00:25 UTC by Dan Jacobson
Modified: 2013-01-11 15:46 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
LiveHTTPHeaders trace (2.41 KB, application/x-gzip)
2010-01-07 14:27 UTC, Jure Kajzer
Details

Description Dan Jacobson 2009-06-02 00:25:10 UTC
Here's an interesting problem. A user, call him Nurdsburg, who has
chosen one of the non-default skin in Preferences, logs in to our wiki
but does NOT check "[ ]Remember my login on this computer." After he is
finished he closes the browser and/or powers off the computer.

The next user starts the browser and finds our wiki all wacky today,
and unless he creates an account and logs in, he can't shake off the
effects of that unrelated previous user's skin choice.

OK, he clicks "Log in / create account", and no matter if Log in, or
create account, he is greeted with "Nurdsburg" already filled in
(<input class="loginText" .. value="Nurdsburg">).

It's as if we check into our hotel room only to find the previous
occupant has not checked out.

Well, OK, he has checked out (as we don't have ALL his cookies), but
room service has not cleaned up the room.

Maybe the intention is to make things a little more comfortable if
Nurdsburg comes back, but I don't know of any other application that
does not restore itself completely when the user logs out...
which indeed Nurdsburg needs to do explicitly, leaving only cookies
radioscanningtwUserName=Nurdsburg; radioscanningtwLoggedOut=20090601202502,
unless he wants to mess it up for the next guy.

Suggestions: I suppose the cookies are that way for a reason. Well, then
at least don't use the skin of the previous logged out user,
even if you still insist on filling in his name in Log in.
Comment 1 Jure Kajzer 2009-10-29 14:19:42 UTC
resolved in r58313
Comment 2 Tim Starling 2010-01-05 02:51:46 UTC
The proposed fix appears to be totally broken, so I'm reopening this. 

Jidanni, the LoggedOut cookie is there so that you *don't* see the skin from a previous user. As long as that cookie is there, the client-side cache is suppressed, by suppressing 304 response codes. If you're saying that you can see the cached HTML from a previous user *without* deleting your cookies, then please supply a trace of the relevant actions captured with LiveHTTPHeaders (remove any passwords and truncate session ID and token before posting). 

If you're seeing cached HTML from a previous user and you did delete your cookies, then we can't do anything about that and it's not a bug.

If you're seeing uncached pages with no username in the top right corner, implying they were generated for an anonymous user, but with the wrong skin, then we will need some more details about your configuration since I can't reproduce any such thing.
Comment 3 Dan Jacobson 2010-01-05 04:09:03 UTC
It seems to be working OK now.
Comment 4 Jure Kajzer 2010-01-07 13:27:19 UTC
Ok here we go ... 
Clean browser (all cache and all cookies for test host removed).

http://www.abakus.si/jk/jksvn-my/index.php?title=Main_Page (my MySQL install for parsertests, so don't panic about security and you can play around on it if you wish)
- no cookies
- default skin.

Login as tester/retset without "remember me".
- cookies wikidb_session=ee053cd3d36c3f479dfd3ab277ecd5d4; wikidbUserID=2; wikidbUserName=Tester
- user skin

Close browser, reopen, go to main-page
- cookies wikidbUserID=2; wikidbUserName=Tester
- user skin
- top-right urls as if the user is logged in
Clicking on any link produces pages as if the user is not logged in (which is correct behaviour).
Clicking back to main page gives me the logged in state.
Forceing main page refresh with action=purge finaly gives me correct top-right urls.

Note that i have already reopened browser, clicked around the page, but the skin is still set to user preference (wrong), while the page tells me that i'm logged out (correct).
Cookies are still wikidbUserID=2; wikidbUserName=Tester; wikidb_session=f3634c5dfb12193e72a6703ee0bd8b00

This is default mysql install, no variables changed after installation except $wgCookiePath and there is no proxy.

Logging in and clicking log out or deleting all cookies (or waiting for cookies to timeout) returns skin back to default.
Comment 5 Tim Starling 2010-01-07 14:04:08 UTC
If you don't click "log out" then you don't get a LoggedOut cookie, so you don't get 304s suppressed. Is this the problem? A trace from LiveHTTPHeaders (like I asked for earlier) would help to confirm this.

You're not still claiming that r58313 fixes it are you?
Comment 6 Jure Kajzer 2010-01-07 14:27:42 UTC
Created attachment 6932 [details]
LiveHTTPHeaders trace

Yes, problem occurs if you do not press "log out". Pressing "log out" works fine ... i never denied that.

r58313 uses presence of Token (or better its absence) in session and cookie to check if the user specified in the cookie is still active, but as you explaind in your reply on code revision this procedure will not work on all setups.

The correct solution would probably be to create loggedOut cookie on client if there is a UserID cookie present but there is no active session.

Attaching requested LiveHTTPHeaders trace. Would appretiate pointers (or ref-cursors:)) on how to solve this ...
Comment 7 Tim Starling 2010-01-07 23:02:09 UTC
Updated summary.
Comment 8 Marcin Cieślak 2010-03-18 16:39:13 UTC
I can confirm exactly the described behaviour using r61343, when using 

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

I have a feeling I see this every time, especially when 1) I didn't log out
and 2) try to browse the wiki anonymously on the next day.

If I login I am getting those cookies:

Name	wikimania2010dbUserID
Value	14
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 16:17:42 GMT

Name	wikimania2010dbUserName
Value	Saper
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 16:17:42 GMT

Name	wikimania2010db_session
Value	cebd49ddcfd2e497e24fc5826d333bb4
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	At End Of Session

After logout I return to the Monobook anonymously:

Name	wikimania2010dbUserID
Value	14
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 16:17:42 GMT

Name	wikimania2010dbUserName
Value	Saper
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 16:17:42 GMT

Name	wikimania2010db_session
Value	cebd49ddcfd2e497e24fc5826d333bb4
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	At End Of Sessio


(It's 18 Mar 2010 today.)

I don't know *how* to reproduce this reliably. What happens is the follwing:

1) User Saper uses myskin theme
2) I have some customizations in the Special:Mypage/myskin.css
3) When I come back as anonymous, I get a "clean" myskin layout (basically mediawiki html with no frills) without my customizations (which is understandable).
4) I have checked cookies and my browser had at the time I got this effect:

wikimania2010db_session
wikimania2010dbUserName
wikimania2010dbUserID

5) Deleting session and dbUserID didn't help. 
6) Deleting dbUserName allowed me to see the default monobook again.
7) I am sure the above setup didn't have "loggedout" cookie

I can achieve the same visual effect manually wherever I delete the Loggedout cookie manually after the logoff, but that doesn't count as reproducing the problem.

After I logged out for a second time, I got this set of cookies:

Name	wikimania2010dbLoggedOut
Value	20100318163206
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Fri, 19 Mar 2010 16:32:04 GMT


Name	wikimania2010dbUserName
Value	Saper
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 16:31:37 GMT

Name	wikimania2010db_session
Value	291e2b7a648c257afb61f7ebd4696422
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	At End Of Session

so, dbUserID was gone but session was still there (unlike the previous attempt).

I login again (and I get my customized myskin look of course):

Name	wikimania2010dbLoggedOut
Value	20100318163206
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Fri, 19 Mar 2010 16:32:04 GMT

Name	wikimania2010dbUserID
Value	14
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 16:34:31 GMT

Name	wikimania2010dbUserName
Value	Saper
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 16:34:31 GMT


Name	wikimania2010db_session
Value	291e2b7a648c257afb61f7ebd4696422
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	At End Of Session

This is getting crazy.... (old LoggedOut and new UserID, UserName, session
cookies?)

I think the problem may be related to the expiration time of the LoggedOut cookie (it's only 24 hours or something). 

However, I think that the browser carrying "wikimania2010dbUserName"
without a valid authenticated session should influence MediaWiki behavior
at all (except the login form, maybe).
Comment 9 Marcin Cieślak 2010-03-18 16:40:57 UTC
> However, I think that the browser carrying "wikimania2010dbUserName"
> without a valid authenticated session should influence MediaWiki behavior
> at all (except the login form, maybe).

"without a valid authenticated session should *NOT* influence MediaWiki"...
Comment 10 Marcin Cieślak 2010-03-18 21:19:33 UTC
I just got somewhow logged out of the site; right now I am browsing as an anonymous user with the logged-in skin. 

It is 18-03-2010 22:16:36 localtime (UTC+1)

My set of cookies:

Name	wikimania2010dbLoggedOut
Value	20100318170524
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Fri, 19 Mar 2010 17:05:22 GMT

Name	wikimania2010dbUserID
Value	14
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 17:05:45 GMT

Name	wikimania2010dbUserName
Value	Saper
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	Sat, 17 Apr 2010 17:05:45 GMT

Name	wikimania2010db_session
Value	291e2b7a648c257afb61f7ebd4696422
Host	www.wikimania2010.pl
Path	/
Secure	No
Expires	At End Of Session
Comment 11 Andre Klapper 2013-01-09 13:14:26 UTC
Jure: 
This report has been in ASSIGNED status for more than one year and you are set as its assignee. In case that you are not actively working on a fix, please reset the bug status to NEW/UNCONFIRMED.
In case you do not plan to work on a fix in the near future: Please also edit the "Assigned To" field by clicking "Reset Assignee to default", in order to not prevent potential contributors from working on a fix. Thanks for your help!
[assigned>=1y]

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links