Page MenuHomeMiraheze

Repeated forced logouts on All The Tropes
Closed, ResolvedPublic

Description

Just about 72 hours ago -- approximately 8:45 AM EDT on 9/13 -- I started having intermittent problems with All The Tropes spontaneously logging me out. For a period of several hours I would find myself logged out whenever I tried to edit a page, or just view it. Attempting to log in would frequently return me to the page still logged out, even though the login appeared to work properly. Sometimes I would get logged in long enough to open the page for editing but upon saving I would find myself logged out and at a screen telling me I didn't have group privileges for saving edits.

During these periods, going to the wiki's Recent Changes page (for which I have auto-update turned off and changes not grouped by page) would invariably result in the page spontaneously reloading itself with me now logged off, and after a while also changing my preferences to group changes by page, which I would have to go into preferences to reset. I repeat, I do not use any auto-update feature for Recent Changes so it should not reload itself under any circumstances.

Sometimes by opening the same page in two different tabs I can login on one just long enough to save an edit in the other, but I only got that to work a couple times.

When I try to log back in, I am subject to a wide variety of error messages, some of which I was able to get screen caps of. I've attached them to this ticket. I've seen at least two other messages that I wasn't fast enough to screencap (and in one case I couldn't reproduce it -- it was a popup that appeared under the login prompt in the top right corner of the page and vanished before I could open the snipping tool).

This behavior will continue for several hours, then stop, then start again. The first instance began, as I said, approximately 8:45 AM on 9/13, then stopped at about 2 PM that afternoon. The wiki then behaved normally for me until approximately 4:40 PM on 9/14. It then began logging me out again and continued well past 9 PM that night -- during which time I switched to a second machine with a different browser and still experienced the problem. I did not see when it actually stopped; I gave up on working on the wiki until the next morning (9/15, yesterday, approx. 8:30 AM), when it behaved correctly until about 1:30 PM. Then it started the logout problem again, and continued it to the end of my work day.

I am not currently experiencing the problem, which seems to match the pattern of the last few days. If it recurs, as I expect it will, I will update this ticket with the information.

I have confirmed this issue occurs on two different machines, both at the same IP but one running on a VPN. As a web developer I have multiple browsers on my work machine, and using them I have confirmed that this spontaneous logout happens on Chrome, Seamonkey, Internet Explorer, Firefox, Edge, Opera and Brave. (Although interestingly it took about an hour for Brave to start displaying the behavior while the other browsers experienced it immediately on going to the wiki.)

If I disable Javascript in one browser, the logout behavior stops happening there, although it continues to occur in every other browser I have open at the same time. My next planned step for my personal investigation is to go through the Javascript for the Recent Changes page by hand to see what's in there that might be doing this.

I have discussed this issue with other ATT users and admins, none of whom see anything like this, and several of them have suggested it might be indicative of an attack attempting to wrest control of my account. I would be very grateful if someone could look into this from the Miraheze side while I continue my user-side investigation.

Thank you.

loginfailure3.PNG (140×443 px, 6 KB)

loginfailure2.PNG (495×348 px, 13 KB)

loginfailure1.PNG (440×347 px, 10 KB)

Event Timeline

John added projects: MediaWiki, MediaWiki (SRE).
John subscribed.

https://phabricator.wikimedia.org/T291127 - split clustering should not be happening now.

John triaged this task as Normal priority.Sep 16 2021, 13:35

I forgot to note that some attempts to login will display a message telling me that I am centrally logged in to Miraheze and all I need to do is reload the current page to be logged in to ATT. When I do so, though, I remain logged out.

It's because we've tried to update Debian and found that it has issues. We've had to make a few attempts to gain enough logs.

Okay, thank you. Since it's not an attack, I can be patient.