Last modified: 2014-11-18 18:07:29 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T26892, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 24892 - Check for wrongly set system clock on login
Check for wrongly set system clock on login
Status: NEW
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Low enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-21 16:24 UTC by Tisza Gergő
Modified: 2014-11-18 18:07 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Tisza Gergő 2010-08-21 16:24:21 UTC 
From time to time someone runs into the problem that his system clock is set more than a month in the future, rendering login cookies immediately invalid. This means that logging into MediaWiki is impossible - the logon seems to work, but on the next page load, he is logged out again. This is a very annoying bug as the system clock is not something one would typically check for login problems so usually the afflicted person is unable to use the wiki for days until the problem is located.

It would be nice to include a timestamp in the successful login page, compare it to the system clock via javascript, and either show a warning or just extend the validity of the cookie if the system clock seems to be off. (Or at the very least change the "check if you have cookies enabled" text to include checking the system clock.)
Comment 1 Aryeh Gregor (not reading bugmail, please e-mail directly) 2010-08-23 18:00:57 UTC 
RFCs 2109 and 2965 both seem to give cookie expiration in terms of max age, not expiration date: http://tools.ietf.org/html/rfc2109 http://tools.ietf.org/html/rfc2965  If we're serving Expires instead of Max-Age on cookies, that implies we're using "old" cookies, so maybe we should just switch to "new" ones?  Dunno how this would be accomplished or if it has any drawbacks.
Comment 2 Chad H. 2010-08-26 17:03:46 UTC 
(In reply to comment #1)
> RFCs 2109 and 2965 both seem to give cookie expiration in terms of max age, not
> expiration date: http://tools.ietf.org/html/rfc2109
> http://tools.ietf.org/html/rfc2965  If we're serving Expires instead of Max-Age
> on cookies, that implies we're using "old" cookies, so maybe we should just
> switch to "new" ones?  Dunno how this would be accomplished or if it has any
> drawbacks.

We use setcookie(). setcookie() uses Expires, it seems.

+upstream?
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2010-08-26 17:11:29 UTC 
Yeah, this is upstream, I guess.  Is there any workaround we can use?  Is there some reason to prefer Expires (e.g., reliability)?
Comment 4 Chad H. 2010-08-26 17:28:48 UTC 
I suppose we could construct our own cookies and send the headers... but reinventing the wheel sucks.

I'd much rather see us push this back upstream. The PHP docs say that they're following the older Netscape cookie spec (http://curl.haxx.se/rfc/cookie_spec.html). Provided that all the major browsers are supporting RFCs 2109 and 2965--and I would assume so, they're 13 and 10 years old, respectively--I would think PHP could get with the 21st century as well ;-)
Comment 5 Aryeh Gregor (not reading bugmail, please e-mail directly) 2010-08-26 19:44:56 UTC 
Pushing it upstream would be fine by me, if anyone is willing to do it, and upstream is willing to accept it.  This is hardly urgent enough that we need to work around it ourselves if we can tell users to just upgrade.  But pushing upstream is harder than working around it ourselves.
Comment 6 Antoine "hashar" Musso (WMF) 2010-09-25 21:55:14 UTC 
I would just push it upstream and track it.  As annoying as it can be, this does not seem worth another special case in mediawiki.
Comment 7 DieBuche 2010-12-05 13:48:36 UTC 
See http://bugs.php.net/bug.php?id=23955
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links