https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #40 from Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com ---
(In reply to Matthew Flaschen from comment #39)
(In reply to Kunal Mehta (Legoktm) from comment #38)
Right now we have a bunch of CentralAuth code running on login to
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Matthew Flaschen mflasc...@wikimedia.org changed:
What|Removed |Added
Depends on||35707
---
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #38 from Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com ---
Right now we have a bunch of CentralAuth code running on login to try and
attach accounts which we can merge since we have access to the user's raw
plaintext password,
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #37 from Matthew Flaschen mflasc...@wikimedia.org ---
(In reply to Martin von Gagern from comment #34)
Is asking for year-long concurrent sessions on multiple devices on-topic
here, is there a separate bug for this, should I file
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Matthew Flaschen mflasc...@wikimedia.org changed:
What|Removed |Added
See Also|
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com changed:
What|Removed |Added
CC|
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Martin von Gagern martin.vgag...@gmx.net changed:
What|Removed |Added
CC|
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #35 from James Forrester jforres...@wikimedia.org ---
(In reply to Martin von Gagern from comment #34)
(In reply to Krinkle from comment #24)
Hm.. also relevant is that we invalidate existing sessions when a new
session starts
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #33 from Matthew Flaschen mflasc...@wikimedia.org ---
(In reply to Jared Zimmerman (WMF) from comment #27)
Most modern sites have dispensed with this type of control all together
I would be surprised if this is true of most major
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #32 from Gerrit Notification Bot gerritad...@wikimedia.org ---
Change 141394 had a related patch set uploaded by Phuedx:
Use $wgLoginCookieExpiration when setting login cookies
https://gerrit.wikimedia.org/r/141394
--
You are
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #31 from Gerrit Notification Bot gerritad...@wikimedia.org ---
Change 141248 had a related patch set uploaded by Phuedx:
Configure logged in session length independantly
https://gerrit.wikimedia.org/r/141248
--
You are receiving
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Gerrit Notification Bot gerritad...@wikimedia.org changed:
What|Removed |Added
Status|ASSIGNED
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #27 from Jared Zimmerman (WMF) jared.zimmer...@wikimedia.org ---
Most modern sites have dispensed with this type of control all together,
financial sites do the opposite and force log you out after 10-30 mins usually.
If the use
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #28 from Steven Walling swall...@wikimedia.org ---
(In reply to Jared Zimmerman (WMF) from comment #27)
Most modern sites have dispensed with this type of control all together,
financial sites do the opposite and force log you out
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Bawolff (Brian Wolff) bawolff...@gmail.com changed:
What|Removed |Added
CC|
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #30 from Steven Walling swall...@wikimedia.org ---
(In reply to Bawolff (Brian Wolff) from comment #29)
I strongly suggest this be discussed on meta before being implemented.
Especially given the less than positive response last
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
James Forrester jforres...@wikimedia.org changed:
What|Removed |Added
CC|
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Steven Walling swall...@wikimedia.org changed:
What|Removed |Added
CC|
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #3 from mpaul...@wikimedia.org ---
(In reply to Steven Walling from comment #2)
(In reply to James Forrester from comment #1)
Is this cleared by legal and security? Also, note that
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #4 from Chris Steipp cste...@wikimedia.org ---
My initial reaction is that for privileged accounts, 1 year sounds excessive.
But for normal accounts, this should be fine.
When we're able to implement password length and https
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #5 from James Forrester jforres...@wikimedia.org ---
(In reply to Chris Steipp from comment #4)
My initial reaction is that for privileged accounts, 1 year sounds
excessive. But for normal accounts, this should be fine.
When
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #6 from Steven Walling swall...@wikimedia.org ---
(In reply to Chris Steipp from comment #4)
My initial reaction is that for privileged accounts, 1 year sounds
excessive. But for normal accounts, this should be fine.
When we're
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #7 from Chris Steipp cste...@wikimedia.org ---
(In reply to James Forrester from comment #5)
(In reply to Chris Steipp from comment #4)
My initial reaction is that for privileged accounts, 1 year sounds
excessive. But for
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Steven Walling swall...@wikimedia.org changed:
What|Removed |Added
Assignee|wikibugs-l@lists.wikimedia.
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Steven Walling swall...@wikimedia.org changed:
What|Removed |Added
Status|NEW |ASSIGNED
---
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #9 from Jared Zimmerman (WMF) jared.zimmer...@wikimedia.org ---
is there a related bug to remove this from the login form or the prefs page?
its weird to have it in both places, and most users assume a remember me type
behavior
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #10 from Quiddity pandiculat...@gmail.com ---
(In reply to Jared Zimmerman (WMF) from comment #9)
is there a related bug to remove this from the login form or the prefs page?
its weird to have it in both places, and most users
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #11 from Steven Walling swall...@wikimedia.org ---
(In reply to Quiddity from comment #10)
Semi-related, there's also bug 47694 ('Remember me on Login interface
should state duration')
FYI: The patch associated with that bug
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #12 from Matthew Flaschen mflasc...@wikimedia.org ---
I don't know that we want to keep using wgCookieExpiration for this, though.
That would make the default (on WMF wikis) for all cookies a year, which would
probably encourage
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #13 from Matthew Flaschen mflasc...@wikimedia.org ---
All cookies meaning unless they specify an explicit expiration directly.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #14 from Steven Walling swall...@wikimedia.org ---
(In reply to Matthew Flaschen from comment #12)
I don't know that we want to keep using wgCookieExpiration for this, though.
That would make the default (on WMF wikis) for all
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Krinkle krinklem...@gmail.com changed:
What|Removed |Added
CC||krinklem...@gmail.com
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #16 from Matthew Flaschen mflasc...@wikimedia.org ---
(In reply to Krinkle from comment #15)
Allowing existing sessions to be picked up again after more than a month of
not using the site doesn't seem very valuable. If anything it
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #17 from Krinkle krinklem...@gmail.com ---
Right, we only set the cookie at log in time and it expires after 30 days
regardless of whether the user actively uses their account (at which point
they'd randomly find themselves
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #18 from Krinkle krinklem...@gmail.com ---
(In reply to Krinkle from comment #17)
This [proposal] covers the use case proposed in this bug:
New users will not have to log in again after 30 days
(especially if they forgot
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #19 from Chris Steipp cste...@wikimedia.org ---
(In reply to Krinkle from comment #17)
Right, we only set the cookie at log in time and it expires after 30 days
regardless of whether the user actively uses their account (at which
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #20 from Steven Walling swall...@wikimedia.org ---
(In reply to Chris Steipp from comment #19)
But doing an automatic extension once a day seems like a much better
solution, and as you point out, not that difficult.
This
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #21 from Chris Steipp cste...@wikimedia.org ---
(In reply to Steven Walling from comment #20)
This automatic extension doesn't sound like it adequately serves the type of
infrequent editor who takes breaks in between site
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #22 from Matthew Flaschen mflasc...@wikimedia.org ---
(In reply to Matthew Flaschen from comment #16)
I don't believe so:
git grep -F -- '-setCookies'
Only specific login pages (Special:UserLogin and API login) and
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #23 from Steven Walling swall...@wikimedia.org ---
(In reply to Chris Steipp from comment #21)
(In reply to Steven Walling from comment #20)
This automatic extension doesn't sound like it adequately serves the type of
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #24 from Krinkle krinklem...@gmail.com ---
Hm.. also relevant is that we invalidate existing sessions when a new session
starts for a user. So in case of theft or hijacking in a way where the user
logs in again on a different
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #25 from Matthew Flaschen mflasc...@wikimedia.org ---
(In reply to Steven Walling from comment #23)
Yes. When you breakdown total active editors every month, there is a very
large group of editors who return after more than a
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #26 from Steven Walling swall...@wikimedia.org ---
(In reply to Matthew Flaschen from comment #25)
(In reply to Steven Walling from comment #23)
Yes. When you breakdown total active editors every month, there is a very
large
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
MZMcBride b...@mzmcbride.com changed:
What|Removed |Added
CC||b...@mzmcbride.com
44 matches
Mail list logo