Last modified: 2010-05-15 15:42:53 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T9725, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 7725 - Security Problem on Login with "Remember me"
Security Problem on Login with "Remember me"
Status: RESOLVED WORKSFORME
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.8.x
PC Windows XP
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-27 08:57 UTC by Lon
Modified: 2010-05-15 15:42 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Lon 2006-10-27 08:57:11 UTC
Login with "remember me" option isn't affected by Password changed.

1. login with "remember me" option on "one" browser
2. change your password on other browser
3. you can still login with "remember me" on browser "one".
Comment 1 Lon 2006-10-27 08:59:12 UTC
with out type new passwords
Comment 2 Brion Vibber 2006-10-27 12:33:52 UTC
I can't reproduce this with either 1.8.2 or current 1.9 dev trunk; the first browser's session becomes 
invalid and subsequent page views on it are logged-out.

Lon, please confirm that you're not just seeing cached pages -- go to a new page, try editing, view 
a special page such as Special:Version etc.
Comment 3 Lon 2006-10-28 15:08:38 UTC
It's the problem that the cookie data of login info is still validate on first
browser.

No matter how I modified my account data in the database, the first browser is
still allow to edit my page..

Thanks for your reply..
Comment 4 Brion Vibber 2006-10-28 21:02:33 UTC
Lon, what you say is not true in my testing. Please provide exact directions on how to 
reproduce the problem. (The directions you give above result in failure.)
Comment 5 Lon 2006-10-29 15:15:36 UTC
Sorry, I finded that the condition also happened in phpBB system. Maybe it is
just considered as a normal condition.

My condition is that I login to the wiki system with "remember me" option on my
friends' computer and forgot to logout. One day someone edit the wiki page by my
account, but I don't know who did that. Then I changed my password to prevent
this, but it wouldn't work.
So I think that it's a bug.

I don't know if it is considered as a normal condition or not..

Thanks a lot.
Comment 6 Brion Vibber 2006-10-29 17:31:48 UTC
What wouldn't work?

As I mentioned above, the steps you describe result in the first browser being logged out as 
desired. The problem does no toccur.
Comment 7 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-10-29 18:46:31 UTC
(In reply to comment #5)
> My condition is that I login to the wiki system with "remember me" option on my
> friends' computer and forgot to logout. One day someone edit the wiki page by my
> account, but I don't know who did that. Then I changed my password to prevent
> this, but it wouldn't work.
> So I think that it's a bug.

Could someone have been editing from your computer, where the new password is
stored?  Or from some other computer, where you didn't check "Remember me" but
didn't log out and so remained logged in for a few minutes?  Or could you have
just forgotten?

Please try to *deliberately* reproduce this, by checking "remember me", changing
your password, and then trying to use the remembered password to log in from the
other computer.  Brion did try that, and it didn't work, so probably your
inference as to the cause of the unexplained edits is incorrect.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links