Fæ wrote:
>Do any of the volunteers contributing to this list have ideas for
>changes that may make a significant difference to security?

When you log in, you're given a user session. This session, along with
local Web browser HTTP cookies, allows you to stay logged in and
authenticated as you browse and edit a wiki. We've previously discussed
the ability for a user to see all of his or her account's active sessions,
similar to what other sites (GitHub, Facebook, Google) already allow.

This type of interface lets a user see his or her own active sessions,
originating IP addresses and User-Agent strings, and sometimes the
interface allows destroying all or some sessions (e.g., if you see a
session from the time you logged in to a friend's computer). This type of
interface can also be used, for better or worse, to track typical behavior
of the user, so that if a user often logs in from a specific IP address
range (e.g., their home computer in the UK), a user session that comes
from a vastly different IP address range (e.g., a mobile device in
Australia) can be flagged and reported to the user. Or, in the case of
two-factor authentication, a "suspicious" login attempt can be required to
go through additional verification. These types of systems are common for
Gmail accounts and some credit card accounts.

Regarding a user seeing a list of his or her own active sessions and
corresponding information, there was, and there likely still is,
considerable opposition to this idea. It's akin to a "self-CheckUser"
feature (which I think we should separately support) and there were
concerns that we would help vandals, sockpuppets, and other bad users.

Some links:

* https://www.mediawiki.org/wiki/?curid=117743
* https://www.mediawiki.org/wiki/?curid=156161
* https://phabricator.wikimedia.org/T387
* https://phabricator.wikimedia.org/T29242


Wikimedia-l mailing list, guidelines at: 
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Reply via email to