Page MenuHomePhabricator

Increase "remember me" login cookie expiry from 30 days to 1 year on Wikimedia wikis
Closed, ResolvedPublic

Description

Scheduled: This is scheduled for this Tuesday (2016-08-16) during the 15:00 UTC SWAT window.

Author: swalling

Description:
Previously, we were required to remember a user's session information for no longer than 30 days on Wikimedia sites. The new privacy policy (https://meta.wikimedia.org/wiki/Privacy_policy) does not require such a limitation, and in fact explicitly calls out remembering logins as a use case: "...such as by using cookies to maintain your session when you log in or to remember your username in the login field."

As such, if a user checks the "keep me logged in option" on the login form, cookie expiry should be set to one year.

In practice, this will often be shorter, since users often travel across many browsers or devices, and may clear their cookies. At the very least, users who opt in to being remembered should have their sessions remembered for longer than the arbitrary 30 day limit.


See Also:
T69512: Allow concurrent "remember me" logins

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

@Mattflaschen - Has this been changed to one year now?

@Mattflaschen - Has this been changed to one year now?

No, it's still being worked on.

This is now unblocked technically, I think.

@Jdforrester-WMF @jmatazzoni What do you think? See BBlack's comment above.

From a Product POV I'd be OK with this going out. I agree somewhat that there are alternatives we can consider, but I think this would be a good move for now.

Okay, speak now... I'll check back in about a week and if no one has objected will re-sync with Legal in order to go ahead and do it.

This also needs to wait until AuthManager is enabled (wgDisableAuthManager false) in production.

Do it do it do it do it do it please.

Okay, maybe you really do need to wait for AuthManager. But count me as an active supporter for getting this done as soon as reasonably possible, not just in the category of "silence is consent".

Change 295551 had a related patch set uploaded (by Mattflaschen):
Extended login: Don't use a $wg config variable, add UserName

https://gerrit.wikimedia.org/r/295551

Change 295553 had a related patch set uploaded (by Mattflaschen):
Make CentralAuth explicitly say which cookies need to be extended

https://gerrit.wikimedia.org/r/295553

I hit an issue where the cookies CentralAuth needed (specifically User) was not consistent with what the core variable was. We shouldn't make a CentralAuth-specific change to the core variable, and we shouldn't make end-users change the $wg, since they shouldn't need to know implementation-specific details about how the cookies are used.

So I changed how this works in those two patches. Hopefully, we can get those two, and the config change, reviewed and deployed soon.

With this config (testing further locally):

If you don't choose "Keep me logged in", centralauth_User, UserID and UserName (the latter only with my above patch) will have a one-year expiration. Although it will indeed not keep you logged in (due to not setting Token), this is probably not what the user would want and expect.

So I think this needs more work.

This may affect user_touched, which is set after the user logs in (since if people use 'Keep me logged in', they will now log in more rarely).

Change 295551 merged by jenkins-bot:
Extended login: Don't use a $wg config variable, add UserName

https://gerrit.wikimedia.org/r/295551

Change 295553 merged by jenkins-bot:
Make CentralAuth explicitly say which cookies need to be extended

https://gerrit.wikimedia.org/r/295553

Will this go into production next week, as ReleaseTaggerBot suggests?

Will this go into production next week, as ReleaseTaggerBot suggests?

No. The user-facing change is https://gerrit.wikimedia.org/r/#/c/230954/ (in config) which will have immediate effect when it's merged. Not scheduled yet – if we get a final round of 'go's I think w/c 11 July would work, though.

See https://wikitech.wikimedia.org/wiki/User:Mattflaschen/Cookies (that's a draft of the cookie info Legal needs). I will:

  • Do a final retest
  • Coordinate with @Mpaulson again
  • Notify Tech News

before putting up the config for SWAT

Any other steps?

Other steps:

  • Tell me when to expect this.
  • Plan a party to celebrate.

Is this going to invalidate existing logins, or will it just take effect the next time that you'd have to login anyway?

Other steps:

  • Tell me when to expect this.
  • Plan a party to celebrate.

Is this going to invalidate existing logins, or will it just take effect the next time that you'd have to login anyway?

It shouldn't affect already-logged-in sessions.

Removing this from the #research-and-data board, since we're not planning to do any immediate work on this. Ping us if you need more help.

Done prep work. Checking with @Mpaulson about timing now. I would like to do it this week.

I'm having a meeting with Matt today to see if any CL time would be nice concerning that change.

I've added a page documenting this at https://www.mediawiki.org/wiki/%22Keep_me_logged_in%22_extended_to_one_year .

It is scheduled for this Tuesday (2016-08-16) during the 15:00 UTC SWAT window.

@Whatamidoing-WMF will be be helping to communicate the change.

Change 304493 had a related patch set uploaded (by Mattflaschen):
Rm unused 'remembermypassword' message, doc another

https://gerrit.wikimedia.org/r/304493

Change 304501 had a related patch set uploaded (by Mattflaschen):
Set one year login in Beta Cluster

https://gerrit.wikimedia.org/r/304501

Mentioned in SAL [2016-08-12T20:03:51Z] <mattflaschen@tin> Synchronized wmf-config/CommonSettings-labs.php: T68699: Enable one-year login on Beta Cluster. Scheduled for prod on Tuesday. (duration: 00m 52s)

That i18n change is not a blocker.

This is now on the Beta Cluster as well.

Thanks for making this happen, Matt!

Is there a good reason not to change userlogin-remembermypassword globally (or at least Wikimedia-globally) to show the length of the login session? That would be the most far-reaching way to communicate this change, and seems like a sensible thing to do in general.

Maybe a good place to mention all the recent and ongoing security improvements (stronger password requirements for admins, 2FA, login, T11838)? Some people will no doubt have questions about the security effects of the change.

In T68699#2549376, @Tgr wrote:

Is there a good reason not to change userlogin-remembermypassword globally (or at least Wikimedia-globally) to show the length of the login session? That would be the most far-reaching way to communicate this change, and seems like a sensible thing to do in general.

I would prefer not to. The downside is that it makes the login form more busy, when we've put a lot of effort into keeping it simple. And it just doesn't seem like users need or expect that level of information on the login screen. Let's take any further discussion to T49694: "Remember me" on Login interface should state duration (where there has been extensive discussion already).

Maybe a good place to mention all the recent and ongoing security improvements (stronger password requirements for admins, 2FA, login, T11838)? Some people will no doubt have questions about the security effects of the change.

Could you do a "see also", so we can keep that particular page short (and thus readable and easy-to-translate)?

Could you do a "see also", so we can keep that particular page short (and thus readable and easy-to-translate)?

Thought about that a bit more and decided they are not all that relevant (they are about protecting login, not protecting being logged in).

Any other steps?

csteipp, BBlack, and Krinkle expressed concerns about the approach being taken here (cf. T68699#696077, T68699#1534649, and T68699#696227). I think we should make sure that there are separate follow-up Phabricator Maniphest tasks to track the additional work needed here so that those concerns don't get overlooked.

csteipp, BBlack, and Krinkle expressed concerns about the approach being taken here (cf. T68699#696077, T68699#1534649, and T68699#696227). I think we should make sure that there are separate follow-up Phabricator Maniphest tasks to track the additional work needed here so that those concerns don't get overlooked.

@csteipp did OK the current approach (T68699#696127), though. I filed T143015: Consider different "keep me logged in" login lengths for different user groups as a follow up task.

The other part is part-technical, part-product, and it's not clear if and what we want to do there. But I've filed T143019: Consider alternative cookie schemes for keeping users logged in.

Change 230954 merged by jenkins-bot:
Change login cookies (for 'Keep me logged in') to a one year expiry.

https://gerrit.wikimedia.org/r/230954

Mentioned in SAL [2016-08-16T15:14:28Z] <thcipriani@tin> Synchronized wmf-config/CommonSettings.php: SWAT: [[gerrit:230954|Change login cookies (for "Keep me logged in") to a one year expiry. (T68699)]] (duration: 01m 08s)

I noticed that the loginwiki centralauth_User cookie still gets set to a month-one expiration (the centralauth_User cookies on the individual sites are a full year).

This doesn't seem to affect the other cookies, though. I set my clock into the future, and I am still logged in. Also, even this central cookie is getting set to the full year later.

So everything seems to be working.

All looks good to me, too.

Thanks Matt, and everyone who helped!

I noticed that the loginwiki centralauth_User cookie still gets set to a month-one expiration (the centralauth_User cookies on the individual sites are a full year).

Works for me. Are you looking at the right request? It's set on the request to Special:CentralAutoLogin/refreshCookies (see SpecialCentralLogin::doLoginStart, the part with the comment Start an unusable placeholder session stub and send a cookie, and SpecialCentralAutoLogin::execute, under case 'refreshCookies').

@Mattflaschen-WMF @WhatamIdoing @APalmer_WMF - Matt should be working with Aeryn to update the various cookie documents to 1 year. When is it going to be changed over?

When is it going to be changed over?

It happened on Tuesday, 16 August 2016 at 15:14 UTC (8:14 a.m. PDT).

There's also a benefit if the user (think of new users especially) forgets their password, especially since we don't require an email.

It's common for there to be a tension between security and convenience.

Actually, I think there is a potential trap there:

  • New user creates a wikipedia account to make some minor fixes, he doesn't provide an email address (or mistypes it).
  • He actually gets hooked and starts editing heavily.
  • After 6-8 months, due to some local changes (eg. related to a browser update), his session expires.
  • User doesn't remember the password he made up 8 months ago and used only once. However, he has now invested a more significantt effort on wikimedia under his now-lost username.
  • If he had been logged out after a week, it would be easier to remember the password and also less traumatic to start again.

Change 304493 merged by jenkins-bot:
Rm unused 'remembermypassword' message, doc another

https://gerrit.wikimedia.org/r/304493