[Wikitech-ambassadors] Logging everyone out

2020-10-01 Thread Chris Danis 
Everyone on all Wikimedia wikis has been logged out, and will have to log
back in again.

This was done out of an abundance of caution, after we received one (1)
user report of being logged in as someone else.

Said report coincided with the deployment of a new MediaWiki release which
caused other problems around User session objects; this is possibly related
and under active investigation.

We believe the number of possibly-affected users was small, and that the
time window in which the error was possible was short.  However, we believe
that resetting all sessions is a prudent measure to ensure that the impact
is limited.

More details to follow, after technical investigation has determined a
cause.  https://phabricator.wikimedia.org/T264370

Apologies for the disruption,
-- 

Chris Danis (he/him)

Staff Site Reliability Engineer

Wikimedia Foundation 
___
Wikitech-ambassadors mailing list
Wikitech-ambassadors@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors

Re: [Wikitech-ambassadors] Logging everyone out

2020-07-10 Thread youssef 
Ok

On Thu, Jul 9, 2020, 10:47 PM Timo Tijhof  wrote:

> Everyone on Wikimedia wikis will shortly be logged out and will have to
> log back in again.
>
> The protections we deployed on June 26 failed to cover some cases.
> We have updated the traffic layer today to also protect against these
> cases.
>
> --  Timo Tijhof
>
> ___
> Wikitech-ambassadors mailing list
> Wikitech-ambassadors@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors
>
___
Wikitech-ambassadors mailing list
Wikitech-ambassadors@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors

Re: [Wikitech-ambassadors] Logging everyone out

2020-07-09 Thread Krinkle 
Everyone on Wikimedia wikis will shortly be logged out and will have to log
back in again.

The protections we deployed on June 26 failed to cover some cases.
We have updated the traffic layer today to also protect against these cases.

--  Timo Tijhof


On Fri, Jun 26, 2020 at 3:44 AM Tim Starling 
wrote:

> Everyone on Wikimedia wikis will shortly be logged out and will have
> to log back in again.
>
> We are resetting all sessions because we believe that, due to a
> configuration error, session cookies may have been sent in cacheable
> responses. Some users reported that they saw the site as if they were
> logged in as someone else. We believe that the number of affected
> users was very small. However, we believe that resetting all sessions
> is a prudent measure to ensure that the impact is limited.
>
> There are several layers of protection against something like this
> happening, and we don't yet know how all of them failed, but we have
> made a configuration change which should be sufficient to prevent it
> from happening again.
>
> -- Tim Starling
>
>
> ___
> Wikitech-ambassadors mailing list
> Wikitech-ambassadors@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors
>
___
Wikitech-ambassadors mailing list
Wikitech-ambassadors@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors

Re: [Wikitech-ambassadors] Logging everyone out

2020-07-09 Thread Timo Tijhof 
Everyone on Wikimedia wikis will shortly be logged out and will have to log
back in again.

The protections we deployed on June 26 failed to cover some cases.
We have updated the traffic layer today to also protect against these cases.

--  Timo Tijhof
___
Wikitech-ambassadors mailing list
Wikitech-ambassadors@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors

[Wikitech-ambassadors] Logging everyone out

2020-06-25 Thread Tim Starling 
Everyone on Wikimedia wikis will shortly be logged out and will have
to log back in again.

We are resetting all sessions because we believe that, due to a
configuration error, session cookies may have been sent in cacheable
responses. Some users reported that they saw the site as if they were
logged in as someone else. We believe that the number of affected
users was very small. However, we believe that resetting all sessions
is a prudent measure to ensure that the impact is limited.

There are several layers of protection against something like this
happening, and we don't yet know how all of them failed, but we have
made a configuration change which should be sufficient to prevent it
from happening again.

-- Tim Starling


___
Wikitech-ambassadors mailing list
Wikitech-ambassadors@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors