[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #26 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 48029 abandoned by Krinkle: Send a cookie with autoblocks to prevent vandalism. https://gerrit.wikimedia.org/r/48029 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 James Forrester jforres...@wikimedia.org changed: What|Removed |Added Status|PATCH_TO_REVIEW |NEW -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Andre Klapper aklap...@wikimedia.org changed: What|Removed |Added Keywords|patch-in-gerrit | Status|ASSIGNED|PATCH_TO_REVIEW -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 James Forrester jforres...@wikimedia.org changed: What|Removed |Added CC||jforres...@wikimedia.org --- Comment #25 from James Forrester jforres...@wikimedia.org --- [Comment also on the code, but it applies to the bug more widely.] I'm concerned that this adds still further to the (not short) list of cookies that MediaWiki in general, and WIkimedia's cluster in particular, can/will add. Has this gone through legal to approve it - e.g. are there issues with the privacy policy/Terms of Use? -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Krinkle krinklem...@gmail.com changed: What|Removed |Added CC||krinklem...@gmail.com --- Comment #23 from Krinkle krinklem...@gmail.com --- Please provide a patch, then. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #24 from Tyler Romeo tylerro...@gmail.com --- (In reply to comment #23) Please provide a patch, then. (In reply to comment #9) https://gerrit.wikimedia.org/r/48029 -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #22 from Tyler Romeo tylerro...@gmail.com --- @Krinkle You made the attachment a patch, but it's actually not a patch, just a copy of User.php with changes made. :P -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Tyler Romeo tylerro...@gmail.com changed: What|Removed |Added Keywords||patch-in-gerrit Status|NEW |ASSIGNED CC||tylerro...@gmail.com Assignee|wikibugs-l@lists.wikimedia. |tylerro...@gmail.com |org | --- Comment #9 from Tyler Romeo tylerro...@gmail.com --- https://gerrit.wikimedia.org/r/48029 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 MZMcBride b...@mzmcbride.com changed: What|Removed |Added CC||b...@mzmcbride.com -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #10 from MZMcBride b...@mzmcbride.com --- When this bug was filed (in 2005), Web browsers didn't commonly have an incognito or private browsing mode. Given that this cookie feature is intended to target users who are capable of changing their IP address (i.e., users with some degree of technical competence/clue), I feel it's reasonable to assume these same bad users are equally capable of using their Web browser's incognito mode or disabling JavaScript or clearing their cookies as a means of bypassing this cookie. I'm inclined to support marking this bug as resolved/wontfix, but I'd like to hear what others think. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Matthew Flaschen mflasc...@wikimedia.org changed: What|Removed |Added CC||mflasc...@wikimedia.org --- Comment #11 from Matthew Flaschen mflasc...@wikimedia.org --- I'm concerned about this, particularly with the cookie duration used in Tyler's Gerrit. First of all, this will obviously have ramifications on shared computers, particularly in libraries in schools, where there's a lot of vandalism but also where some constructive people do their only editing. That alone gives me pause. Robert suggested 24 hours, which would definitely mitigate this. However, the proposed implementation (https://gerrit.wikimedia.org/r/#/c/48029/3/includes/User.php) uses the default cookie expiration (since setCookie with duration 0 uses that). The default default (https://www.mediawiki.org/wiki/Manual:$wgCookieExpiration) is now 180 days, which is an entirely different matter from a day. I also think if we do this, it should be controlled by two separate wg config variables: 1. Whether to do it at all, defaulting false. 2. (Ignored if 1 is false) Duration, defaulting to 24 hours or something else very short like that. MZMcBride is also right that it's now much easier to clear your cookies and local storage (private browsing/incognito is relatively well publicized), so we might be mostly targetting the good guys. I realize there are some casual vandals (ignorant of cookies) who randomly get assigned IPs (e.g. through a bad proxy) and keep on rolling. But I'm skeptical it's a worthwhile tradeoff. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #12 from Tyler Romeo tylerro...@gmail.com --- (In reply to comment #10) When this bug was filed (in 2005), Web browsers didn't commonly have an incognito or private browsing mode. Given that this cookie feature is intended to target users who are capable of changing their IP address (i.e., users with some degree of technical competence/clue), I feel it's reasonable to assume these same bad users are equally capable of using their Web browser's incognito mode or disabling JavaScript or clearing their cookies as a means of bypassing this cookie. I'm inclined to support marking this bug as resolved/wontfix, but I'd like to hear what others think. It should be noted, though, that incognito mode does not ignore cookies, it simply deletes them upon going out of incognito mode. So if a user logs into a blocked account incognito, but doesn't open a new window when switching IPs, the cookie will still be there. (In reply to comment #11) I'm concerned about this, particularly with the cookie duration used in Tyler's Gerrit. First of all, this will obviously have ramifications on shared computers, particularly in libraries in schools, where there's a lot of vandalism but also where some constructive people do their only editing. That alone gives me pause. Robert suggested 24 hours, which would definitely mitigate this. However, the proposed implementation (https://gerrit.wikimedia.org/r/#/c/48029/3/includes/User.php) uses the default cookie expiration (since setCookie with duration 0 uses that). The default default (https://www.mediawiki.org/wiki/Manual:$wgCookieExpiration) is now 180 days, which is an entirely different matter from a day. The cookie should last however long the block lasts. That's how autoblocks work even outside of this case. It's the autoblock that needs to be short (and it is short), not the cookie expiration. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #13 from Matthew Flaschen mflasc...@wikimedia.org --- The cookie should last however long the block lasts. That's how autoblocks work even outside of this case. It's the autoblock that needs to be short (and it is short), not the cookie expiration. However, if I understand correctly, you're effectively broadening the scope of the autoblock, so it seems reasonable to consider a different cookie duration than $wgAutoblockExpiry. If someone vandalizes from a shared computer that occasionally changes external IP, before the block would only be tied to the shared IP (unless someone tried to log in). Now, it is broader, since it is tied to *both* the shared browser and the shared IP. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #14 from Tyler Romeo tylerro...@gmail.com --- (In reply to comment #13) However, if I understand correctly, you're effectively broadening the scope of the autoblock, so it seems reasonable to consider a different cookie duration than $wgAutoblockExpiry. If someone vandalizes from a shared computer that occasionally changes external IP, before the block would only be tied to the shared IP (unless someone tried to log in). Now, it is broader, since it is tied to *both* the shared browser and the shared IP. Yeah, but that's existing functionality. When a user is blocked with autoblock, whenever they login, the new IP they login from is also autoblocked. The only difference between what we have now and this patch is that if the blocked user tries to edit anonymously they'll also trigger the autoblock (since right now the only way of telling if a blocked user tries to edit is if they log in under their blocked account). -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #15 from Tyler Romeo tylerro...@gmail.com --- (In reply to comment #13) However, if I understand correctly, you're effectively broadening the scope of the autoblock, so it seems reasonable to consider a different cookie duration than $wgAutoblockExpiry. If someone vandalizes from a shared computer that occasionally changes external IP, before the block would only be tied to the shared IP (unless someone tried to log in). Now, it is broader, since it is tied to *both* the shared browser and the shared IP. Yeah, but that's existing functionality. When a user is blocked with autoblock, whenever they login, the new IP they login from is also autoblocked. The only difference between what we have now and this patch is that if the blocked user tries to edit anonymously they'll also trigger the autoblock (since right now the only way of telling if a blocked user tries to edit is if they log in under their blocked account). -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #16 from Bawolff (Brian Wolff) bawolff...@gmail.com --- MZMcBride is also right that it's now much easier to clear your cookies and local storage (private browsing/incognito is relatively well publicized), so we might be mostly targetting the good guys. No kidding, but was it ever hard? All browsers had a single button clear my cookies since the dark ages (aka pre IE 6), they're just a little more prominent now. from comment 1 Of course, some black hats... If that's all it takes to be a black hat... - First of all, this will obviously have ramifications on shared computers, particularly in libraries in schools, where there's a lot of vandalism but also where some constructive people do their only editing. That alone gives me pause. You think blocking someone with a cookie is going to have more fallout than blocking their IP? In the case of a school (that's probably behind a nat) the IP block might block the entire school. Worrying about this sort of thing is a social, not a technical issue. If the admins think it is worth the loss of potential editors, they will block the user with autoblock on. If they don't, they won't block the user with autoblock on. The ability to screw over shared computers already exists in software ;) I agree that a long lasting cookie is undesirable, but if this was implemented as: *24 hour cookie (at most) *Only enabled when autoblock is on (which is not all blocks) The fallout on innocent users (relative to the previous fallout) would be almost 0 as far as I can tell. The effectiveness might be questionable, but I doubt it would hurt anything. Keep in mind that while clearing cookies has become easier, it has become even easier to change your ip. Simply change which neighbour you're stealing wifi from. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #17 from Matthew Flaschen mflasc...@wikimedia.org --- Yeah, but that's existing functionality. When a user is blocked with autoblock, whenever they login, the new IP they login from is also autoblocked. The only difference between what we have now and this patch is that if the blocked user tries to edit anonymously they'll also trigger the autoblock (since right now the only way of telling if a blocked user tries to edit is if they log in under their blocked account). That's not the only difference. If someone edited from a shared browser that someone else used to vandalize on a different IP (with a current autoblock), before they got lucky. Now, they're still blocked for $wgAutoblockExpiry -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #18 from Tyler Romeo tylerro...@gmail.com --- (In reply to comment #17) That's not the only difference. If someone edited from a shared browser that someone else used to vandalize on a different IP (with a current autoblock), before they got lucky. Now, they're still blocked for $wgAutoblockExpiry The case you're making is one where a shared browser (which implies a shared computer) is able to change its IP address, which IMO is not a very likely case. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #19 from Matthew Flaschen mflasc...@wikimedia.org --- It's not the most likely case, but it happens. Institutional proxies can have multiple exit nodes, or be reassigned between them. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 --- Comment #20 from Tyler Romeo tylerro...@gmail.com --- OK, but the likelihood of the case is important. Right now there are numerous cases where autoblocks accidentally block innocent editors (such as the very simple case of a blocked user logging on using a shared computer and causing everybody else who uses that computer to be blocked). Like was said before, it's more of a social issue, i.e., is the blocking user willing to risk accidentally blocking good users. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Krinkle krinklem...@gmail.com changed: What|Removed |Added Attachment #829 is|0 |1 patch|| --- Comment #21 from Krinkle krinklem...@gmail.com --- Comment on attachment 829 -- https://bugzilla.wikimedia.org/attachment.cgi?id=829 Attempt to incorporate cookie blocks into autoblocker Altering attachment properties to indicate that this is a patch. -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Daniel Friesen mediawiki-b...@nadir-seen-fire.com changed: What|Removed |Added CC||mediawiki-bugs@nadir-seen-f ||ire.com -- You are receiving this mail because: You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Cirt cirt@gmail.com changed: What|Removed |Added CC||cirt@gmail.com --- Comment #7 from Cirt cirt@gmail.com 2009-02-24 23:55:05 UTC --- This really is a very very good idea and should be implemented. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 j.delanoyw...@gmail.com changed: What|Removed |Added CC||j.delanoyw...@gmail.com --- Comment #8 from j.delanoyw...@gmail.com 2009-02-25 00:13:19 UTC --- Speaking as someone who primarily fights vandalism, I would be extremely grateful if this bug were acted on. It is tedious and frankly annoying to have to deal with people who only have to reset their router or switch proxies to continue their spree. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Harald Krichel seew...@konduktor.de changed: What|Removed |Added CC||seew...@konduktor.de --- Comment #5 from Harald Krichel seew...@konduktor.de 2009-02-23 12:45:40 UTC --- Of course there is a very strong interest in this. We have much more vandals than vandals who even know to change their IP. We could track and ban daily vandals for maybe a month or more. And we could separate student's and teacher's computers which may have the same IP. Maybe we could set flash cookies for the more sophisticated vandals. I esteem that far more than 50% of our vandals could not handle either standard or flash cookies. who is using aFurthermore we could reduce the collateral damage of the hardblocking/autoblocking feature when blocking a vandal who is using a mandatory proxy. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 3233] Send a cookie with each block?
https://bugzilla.wikimedia.org/show_bug.cgi?id=3233 Tisza Gergő gti...@gmail.com changed: What|Removed |Added CC||gti...@gmail.com --- Comment #6 from Tisza Gergő gti...@gmail.com 2009-02-23 13:58:34 UTC --- [https://developer.mozilla.org/en/DOM/Storage DOM storage] / [http://msdn.microsoft.com/en-us/library/ms531424.aspx userData] is another tricky tracking method that most vandals probably aren't aware of. But even the most basic cookie-based blocking would be very useful for vandals accessing the net through quickly changing dynamic adresses or large proxies. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
