On Fri, Apr 11, 2008 at 9:48 AM, Brion Vibber brion@wikimedia.org wrote:
Security:
The sessions are set on other domains by passing an internal token value on a URL -- an unencrypted HTTP GET request. It's bad enough we're still passing all kinds of stuff around in unencrypted cookies, but those GET URLs go into all sorts of logs, which seems pretty creepy to me.
I'd be more comfortable with one-time-use tokens, which won't be of any use to anyone once they've seen them. Resetting them on logout only helps insofar as anyone actually logs out... I know I never do. :)
Brion already knows this, but for completeness, I addressed this a few days ago.
Incomplete migrations:
I haven't thoroughly tested, but my impression is that the global session state will only get set up properly if the remote wiki that happens to get hit for that domain has the global account.
If there's a non-matching local account there, it looks like it won't set the session for the whole domain.
This is inaccurate. Authentication of the token stored in memcached and addressed by a one-time token given in the GET parameters is done against the central DB. There was a silly and probably broken line in AutoLogin which loaded a corresponding local account for the sake of storing the 'rememberpassword' option, but I refactored that out in r33176.
On Sat, Apr 12, 2008 at 4:36 AM, Brion Vibber brion@wikimedia.org wrote:
This was previously done by NOT setting local cookies on every single wiki that you're automatically authenticated on.
Which means it doesn't set up a local session or update your cache timestamp, which means you see various uncached settings and your first edit fails. :)
These are bad, hence my fix.
I asked Tim, and he told me there wasn't any reason to be setting local cookies in doing this, so I removed that line from wfCentralAuthSessionInit.
Note that, in order to address issues of caching after you've logged out, I've added a LoggedOut cookie, and added this to the list of vary-options cookies.I'm not sure if I'm supposed to be setting User::mTouched if that cookie's present as well, and, if so, I'm happy to do that.
Plus you still had local cookies whereever you explicitly logged in.
I'm getting there.
I hope I've gotten a little bit closer to addressing all your concerns :-). For full details of today's work, see this commit message:
http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=33176
Thanks for having a close look at this.