[Bug 73207] rollback token system is randomly broken

Mon, 10 Nov 2014 07:41:22 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=73207

Brad Jorsch <bjor...@wikimedia.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |UNCONFIRMED
     Ever confirmed|1                           |0

--- Comment #3 from Brad Jorsch <bjor...@wikimedia.org> ---
(In reply to Peter Bena from comment #1)
> whether the revert token retrieved by meta query is permanent, or if it
> changes for every revert.

A new token is not required for for every revert, although there's nothing
stopping you from fetching a new token each time if you want.

The token returned will change each time you fetch one due to the new
time-limited token functionality,[1] but at the moment any of the returned
tokens should be valid until the session expires or something triggers a change
to the token-secret in the session.

 [1]: https://lists.wikimedia.org/pipermail/wikitech-l/2014-October/079092.html


(In reply to Peter Bena from comment #2)
> Only solution for us is to revert back to
> deprecated method which may be removed entirely from MediaWiki, leaving no
> working option.

But you yourself state in comment 0 "and even if we fallback to previous
method, the new token we get is also invalid". So how can you claim in comment
2 that you could use that method?


I've just submitted a few hundred rollbacks to enwiki that passed token
validation (to avoid flooding sandbox history and the like, they were
constructed to fail with code 'alreadyrolled' which is checked after token
validation). 150 used the same session and the same token, while 300 used a new
session with a newly-fetched token for each. You didn't specify when "peak
hours" are, but I see "Reverted" around 11-14 times per minute in
Special:RecentChanges at the moment and I'd think 1 out of 150 or 1 out of 300
would have failed if you're seeing 1 out of *20*.

It seems to me that it's more likely you've got something wrong in your code
with respect to session cookie handling or the like.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to