Last modified: 2004-10-01 04:10:15 UTC
BUG MIGRATED FROM SOURCEFORGE http://sourceforge.net/tracker/index.php?func=detail&aid=993937&group_id=34373&atid=411192 Originally submitted by Cœur (coeur) 2004-07-19 18:59 Hello, My account name on fr.wikipedia.org is « Cœur ». Please note there is a Unicode character. The issue is that my identification is lost every time I close my browser, even if I check the box to remember my password. This happens since many months, but only with wikimedia. If I use phpBB or vbulletin, then cookies and sessions work fine. I use Internet Explorer 6 and Firefox 0.9 on Windows XP, with default medium security level for cookies. I don't use any firewall. I also happen to format my computer recently without better results. Because it does not happen with other people, I think it is related to my Unicode name. My password is only using ascii characters. I don't want to enter my password five times a day, I only want to enter it one time a year, so please fix this issue, thank you. ------------------------- Additional comments ------------------------ Date: 2004-07-25 15:35 Sender: SF user hashar Hello, Can you please test with another account without any unicode char, for example an account named "coeur" ? Many mediawiki users have unicode usernames. ------------------------------------------------- Date: 2004-07-25 23:16 Sender: SF user coeur Hello Hashar, You were right: I tried to create alternative accounts on fr.wikipedia, and I can connect and stay connected with all of them: - TestUnicode - TestUnicode€ - TestUnicodeŒ - TestUnicodeCœur - Cœus Now I'm lost: I don't know why my identification with my main account doesn't remember me: - Cœur The password is a regular password, the options are regular options, everything should be the same as the last test account (Cœus), but the cookie thing doesn't work. On the first page (Accueil), it recognize my name, but as soon as I hit refresh or I click a link, my identification is lost. I were using Firefox 0.9.2 for the today's tests. I will lower the priority of this bug, because it only affects my account. ------------------------------------------------- Date: 2004-08-06 08:56 Sender: SF user tomk32 Can you clear the cookies from wikipedia? For the case you haven't changed a password generated by wikipedia, please change it. ------------------------------------------------- Date: 2004-08-06 09:49 Sender: SF user pladask I have exactly the same problem, on en.wikipedia.org as well as no.wikipedia.org (Norwegian), using Mozilla. My user name on both wikis is Pladask. I've tried flushing all cookies and even chosen "allow all cookies", but nothing seems to work. I have no problems with other sites using cookies the very same way. ------------------------------------------------- Date: 2004-08-06 09:56 Sender: SF user tomk32 @pladask: try with changing your password and re-login please ------------------------------------------------- Date: 2004-08-06 10:05 Sender: SF user pladask Oh, you're very right. Sorry. I'm bad. Disregard my comment. :-) ------------------------------------------------- Date: 2004-08-06 12:05 Sender: SF user tomk32 I've already changed Mediawiki:remembermypassword and Mediawiki:tog-rememberpassword on de: but it didn't take any effect yet :( BTW: why is it not tog-remembermypassword (with a "my")? ------------------------------------------------- Date: 2004-08-09 15:09 Sender: SF user coeur Ok, here is more info about the issue. 1) I've requested a new password using the automatic tool : the identification accross sessions WASN'T fixed. 2) I've manually changed my password, using the same as the old one : the identification WAS fixed. This means that there is a bug when you get a generated password : it won't be compatible with the cookie system or so. ------------------------------------------------- Date: 2004-08-09 15:22 Sender: SF user tomk32 I don't think it's a bug but a feature. Can any dev confirm and close this bugreport? ------------------------------------------------- Date: 2004-08-09 23:54 Sender: SF user coeur If it is a feature, then it lacks documentation and warning. Users should be warned that if they don't change MANUALLY their password, the "remember my password across sessions" won't work at all. Plus, I see no logic for this feature. It should be removed IMOH. ------------------------------------------------- Date: 2004-08-09 23:56 Sender: SF user vibber I'm not sure what Tom is saying is a feature. Can you clarify? ------------------------------------------------- Date: 2004-08-10 00:20 Sender: SF user hashar Maybe the session cookie should be deleted when a user request a new password ? ------------------------------------------------- Date: 2004-08-10 00:42 Sender: SF user coeur I don't think it is a cookie issue, because I tried many times to delete my cookies and even format my computer one time. So I think it is a server issue where it knows if the password was automatically generated or manually created.
The problem, as I understand it, was: 1) a user asks to be mailed a new password 2) the user logs in using the new generated password, selecting "remember my password across sessions" 3) the user is still forced to log in at the start of every session, until he or she manually changes the password. This happened because previously, a cookie was set to a hash of the new password, but when verifying the cookie, it was only compared with a hash of the old password. However, hashes of passwords are no longer used; randomly generated tokens are used instead, to reduce the threat of cookie-stealing attacks. I believe the change fixed this bug as well, but feel free to re-open it if I missed anything.
