Last modified: 2004-10-01 04:10:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 37 - "Remember my password across sessions" doesn't work with me
"Remember my password across sessions" doesn't work with me
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-14 06:44 UTC by Timwi
Modified: 2004-10-01 04:10 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Timwi 2004-08-14 06:44:59 UTC
BUG MIGRATED FROM SOURCEFORGE
http://sourceforge.net/tracker/index.php?func=detail&aid=993937&group_id=34373&atid=411192
Originally submitted by Cœur (coeur)  2004-07-19 18:59


Hello,

My account name on fr.wikipedia.org is « Cœur ». Please
note there is a Unicode character.

The issue is that my identification is lost every time
I close my browser, even if I check the box to remember
my password.

This happens since many months, but only with
wikimedia. If I use phpBB or vbulletin, then cookies
and sessions work fine.

I use Internet Explorer 6 and Firefox 0.9 on Windows
XP, with default medium security level for cookies. I
don't use any firewall. I also happen to format my
computer recently without better results.

Because it does not happen with other people, I think
it is related to my Unicode name. My password is only
using ascii characters.

I don't want to enter my password five times a day, I
only want to enter it one time a year, so please fix
this issue, thank you.

------------------------- Additional comments ------------------------
Date: 2004-07-25 15:35
Sender: SF user hashar

Hello,

Can you please test with another account without any unicode
char, for example an account named "coeur" ?

Many mediawiki users have unicode usernames.
-------------------------------------------------
Date: 2004-07-25 23:16
Sender: SF user coeur

Hello Hashar,

You were right: I tried to create alternative accounts on 
fr.wikipedia, and I can connect and stay connected with all 
of them:
- TestUnicode
- TestUnicode€
- TestUnicodeŒ
- TestUnicodeCœur
- Cœus

Now I'm lost: I don't know why my identification with my main 
account doesn't remember me:
- Cœur

The password is a regular password, the options are regular 
options, everything should be the same as the last test 
account (Cœus), but the cookie thing doesn't work. On the 
first page (Accueil), it recognize my name, but as soon as I 
hit refresh or I click a link, my identification is lost.

I were using Firefox 0.9.2 for the today's tests.

I will lower the priority of this bug, because it only affects
my
account.
-------------------------------------------------
Date: 2004-08-06 08:56
Sender: SF user tomk32

Can you clear the cookies from wikipedia?
For the case you haven't changed a password generated by
wikipedia, please change it.
-------------------------------------------------
Date: 2004-08-06 09:49
Sender: SF user pladask

I have exactly the same problem, on en.wikipedia.org as well
as no.wikipedia.org (Norwegian), using Mozilla. My user name
on both wikis is Pladask.

I've tried flushing all cookies and even chosen "allow all
cookies", but nothing seems to work. I have no problems with
other sites using cookies the very same way.
-------------------------------------------------
Date: 2004-08-06 09:56
Sender: SF user tomk32

@pladask: try with changing your password and re-login please
-------------------------------------------------
Date: 2004-08-06 10:05
Sender: SF user pladask

Oh, you're very right. Sorry. I'm bad. Disregard my comment. :-)
-------------------------------------------------
Date: 2004-08-06 12:05
Sender: SF user tomk32

I've already changed Mediawiki:remembermypassword and
Mediawiki:tog-rememberpassword on de: but it didn't take any
effect yet :(

BTW: why is it not tog-remembermypassword (with a "my")?


-------------------------------------------------
Date: 2004-08-09 15:09
Sender: SF user coeur

Ok, here is more info about the issue.

1) I've requested a new password using the automatic tool : 
the identification accross sessions WASN'T fixed.

2) I've manually changed my password, using the same as 
the old one : the identification WAS fixed.

This means that there is a bug when you get a generated 
password : it won't be compatible with the cookie system or 
so.
-------------------------------------------------
Date: 2004-08-09 15:22
Sender: SF user tomk32

I don't think it's a bug but a feature. Can any dev confirm
and close this bugreport?
-------------------------------------------------
Date: 2004-08-09 23:54
Sender: SF user coeur

If it is a feature, then it lacks documentation and warning. 
Users should be warned that if they don't change MANUALLY 
their password, the "remember my password across sessions" 
won't work at all.

Plus, I see no logic for this feature. It should be removed 
IMOH.
-------------------------------------------------
Date: 2004-08-09 23:56
Sender: SF user vibber

I'm not sure what Tom is saying is a feature. Can you clarify?
-------------------------------------------------
Date: 2004-08-10 00:20
Sender: SF user hashar

Maybe the session cookie  should be deleted when a user
request a new password ?
-------------------------------------------------
Date: 2004-08-10 00:42
Sender: SF user coeur

I don't think it is a cookie issue, because I tried many times 
to delete my cookies and even format my computer one time.

So I think it is a server issue where it knows if the password 
was automatically generated or manually created.
Comment 1 Wil Mahan 2004-10-01 04:10:15 UTC
The problem, as I understand it, was:
1) a user asks to be mailed a new password
2) the user logs in using the new generated password, selecting "remember
   my password across sessions"
3) the user is still forced to log in at the start of every session, until he
   or she manually changes the password.

This happened because previously, a cookie was set to a hash of the new
password, but when verifying the cookie, it was only compared with a hash of
the old password.

However, hashes of passwords are no longer used; randomly generated tokens
are used instead, to reduce the threat of cookie-stealing attacks. I believe
the change fixed this bug as well, but feel free to re-open it if I missed
anything.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links