https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #40 from Kunal Mehta (Legoktm) ---
(In reply to Matthew Flaschen from comment #39)
> (In reply to Kunal Mehta (Legoktm) from comment #38)
> > Right now we have a bunch of CentralAuth code running on login to try and
> > attach accou
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Matthew Flaschen changed:
What|Removed |Added
Depends on||35707
--- Comment #39 from Matthew
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #38 from Kunal Mehta (Legoktm) ---
Right now we have a bunch of CentralAuth code running on login to try and
attach accounts which we can merge since we have access to the user's raw
plaintext password, so I'd ask/request that this
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Matthew Flaschen changed:
What|Removed |Added
See Also||https://bugzilla.wikimedia.
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #37 from Matthew Flaschen ---
(In reply to Martin von Gagern from comment #34)
> Is asking for year-long concurrent sessions on multiple devices on-topic
> here, is there a separate bug for this, should I file one or ask on Village
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Kunal Mehta (Legoktm) changed:
What|Removed |Added
CC||legoktm.wikipe...@gmail.com
--
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #35 from James Forrester ---
(In reply to Martin von Gagern from comment #34)
> (In reply to Krinkle from comment #24)
> > Hm.. also relevant is that we invalidate existing sessions when a new
> > session starts for a user. So in ca
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Martin von Gagern changed:
What|Removed |Added
CC||martin.vgag...@gmx.net
--- Comment
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #33 from Matthew Flaschen ---
(In reply to Jared Zimmerman (WMF) from comment #27)
> Most modern sites have dispensed with this type of control all together
I would be surprised if this is true of most major sites that are currentl
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #32 from Gerrit Notification Bot ---
Change 141394 had a related patch set uploaded by Phuedx:
Use $wgLoginCookieExpiration when setting login cookies
https://gerrit.wikimedia.org/r/141394
--
You are receiving this mail because:
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #31 from Gerrit Notification Bot ---
Change 141248 had a related patch set uploaded by Phuedx:
Configure logged in session length independantly
https://gerrit.wikimedia.org/r/141248
--
You are receiving this mail because:
You are
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Gerrit Notification Bot changed:
What|Removed |Added
Status|ASSIGNED|PATCH_TO_REVIEW
--
You are
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #30 from Steven Walling ---
(In reply to Bawolff (Brian Wolff) from comment #29)
> I strongly suggest this be discussed on meta before being implemented.
> Especially given the less than positive response last time around.
What res
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Bawolff (Brian Wolff) changed:
What|Removed |Added
CC||bawolff...@gmail.com
--- Comme
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #28 from Steven Walling ---
(In reply to Jared Zimmerman (WMF) from comment #27)
> Most modern sites have dispensed with this type of control all together,
> financial sites do the opposite and force log you out after 10-30 mins
> u
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #27 from Jared Zimmerman (WMF) ---
Most modern sites have dispensed with this type of control all together,
financial sites do the opposite and force log you out after 10-30 mins usually.
If the use case were trying to solve for u
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #26 from Steven Walling ---
(In reply to Matthew Flaschen from comment #25)
> (In reply to Steven Walling from comment #23)
> > Yes. When you breakdown total active editors every month, there is a very
> > large group of editors who
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #25 from Matthew Flaschen ---
(In reply to Steven Walling from comment #23)
> Yes. When you breakdown total active editors every month, there is a very
> large group of editors who return after more than a 30-day break. This type
>
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #24 from Krinkle ---
Hm.. also relevant is that we invalidate existing sessions when a new session
starts for a user. So in case of theft or hijacking in a way where the user
logs in again on a different browser / account / computer
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #23 from Steven Walling ---
(In reply to Chris Steipp from comment #21)
> (In reply to Steven Walling from comment #20)
> > This automatic extension doesn't sound like it adequately serves the type of
> > infrequent editor who takes
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #22 from Matthew Flaschen ---
(In reply to Matthew Flaschen from comment #16)
> I don't believe so:
>
> git grep -F -- '->setCookies'
>
> Only specific login pages (Special:UserLogin and API login) and
> Special:ChangePassword see
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #21 from Chris Steipp ---
(In reply to Steven Walling from comment #20)
> This automatic extension doesn't sound like it adequately serves the type of
> infrequent editor who takes breaks in between site visits/editing sessions.
> Y
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #20 from Steven Walling ---
(In reply to Chris Steipp from comment #19)
>
> But doing an automatic extension once a day seems like a much better
> solution, and as you point out, not that difficult.
This automatic extension doesn'
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #19 from Chris Steipp ---
(In reply to Krinkle from comment #17)
> Right, we only set the cookie at log in time and it expires after 30 days
> regardless of whether the user actively uses their account (at which point
> they'd rando
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #18 from Krinkle ---
(In reply to Krinkle from comment #17)
> This [proposal] covers the use case proposed in this bug:
>
> New users will not have to log in again after 30 days
> (especially if they forgot their password and did
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #17 from Krinkle ---
Right, we only set the cookie at log in time and it expires after 30 days
regardless of whether the user actively uses their account (at which point
they'd randomly find themselves logged-out after 30 days, not
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #16 from Matthew Flaschen ---
(In reply to Krinkle from comment #15)
> Allowing existing sessions to be picked up again after more than a month of
> not using the site doesn't seem very valuable. If anything it sounds a
> little dod
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Krinkle changed:
What|Removed |Added
CC||krinklem...@gmail.com
--- Comment #15 from K
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #14 from Steven Walling ---
(In reply to Matthew Flaschen from comment #12)
> I don't know that we want to keep using wgCookieExpiration for this, though.
> That would make the default (on WMF wikis) for all cookies a year, which
>
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #13 from Matthew Flaschen ---
"All cookies" meaning unless they specify an explicit expiration directly.
--
You are receiving this mail because:
You are on the CC list for the bug.
___
W
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #12 from Matthew Flaschen ---
I don't know that we want to keep using wgCookieExpiration for this, though.
That would make the default (on WMF wikis) for all cookies a year, which would
probably encourage proliferation of little co
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #11 from Steven Walling ---
(In reply to Quiddity from comment #10)
> Semi-related, there's also bug 47694 ('"Remember me" on Login interface
> should state duration')
FYI: The patch associated with that bug request
(https://gerrit
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #10 from Quiddity ---
(In reply to Jared Zimmerman (WMF) from comment #9)
> is there a related bug to remove this from the login form or the prefs page?
> its weird to have it in both places, and most users assume a "remember me"
>
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #9 from Jared Zimmerman (WMF) ---
is there a related bug to remove this from the login form or the prefs page?
its weird to have it in both places, and most users assume a "remember me" type
behavior anyway.
--
You are receiving t
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Steven Walling changed:
What|Removed |Added
Status|NEW |ASSIGNED
--- Comment #8 from Steven W
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Steven Walling changed:
What|Removed |Added
Assignee|wikibugs-l@lists.wikimedia. |samsm...@wikimedia.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #7 from Chris Steipp ---
(In reply to James Forrester from comment #5)
> (In reply to Chris Steipp from comment #4)
> > My initial reaction is that for privileged accounts, 1 year sounds
> > excessive. But for normal accounts, this
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #6 from Steven Walling ---
(In reply to Chris Steipp from comment #4)
> My initial reaction is that for privileged accounts, 1 year sounds
> excessive. But for normal accounts, this should be fine.
>
> When we're able to implement
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #5 from James Forrester ---
(In reply to Chris Steipp from comment #4)
> My initial reaction is that for privileged accounts, 1 year sounds
> excessive. But for normal accounts, this should be fine.
>
> When we're able to implement
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #4 from Chris Steipp ---
My initial reaction is that for privileged accounts, 1 year sounds excessive.
But for normal accounts, this should be fine.
When we're able to implement password length and https requirements per use
group,
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
--- Comment #3 from mpaul...@wikimedia.org ---
(In reply to Steven Walling from comment #2)
> (In reply to James Forrester from comment #1)
> > Is this cleared by legal and security? Also, note that
> > https://meta.wikimedia.org/wiki/Privacy_po
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
Steven Walling changed:
What|Removed |Added
CC||cste...@wikimedia.org
--- Comment #2
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
James Forrester changed:
What|Removed |Added
CC||jforres...@wikimedia.org
--- Comment
https://bugzilla.wikimedia.org/show_bug.cgi?id=66699
MZMcBride changed:
What|Removed |Added
CC||b...@mzmcbride.com
Summary|If u
44 matches
Mail list logo