[HN Gopher] Logging Everyone Out ___________________________________________________________________ Logging Everyone Out Author : edward Score : 259 points Date : 2020-10-02 17:04 UTC (5 hours ago) (HTM) web link (lists.wikimedia.org) (TXT) w3m dump (lists.wikimedia.org) | dionian wrote: | What is the (he/him) after the guy's name? | dEnigma wrote: | His preferred pronouns, I would assume. | Karawebnetwork wrote: | Pronouns. | | That way, if someone is named "Billy" or "Alex", you won't be | spending years mistakenly assuming they were a man while they | could have been a woman. | | This also has the beneficial side effect of covering trans | individuals who use a birth name while having another gender | identity. | | Even more useful for usernames such as yours, "dionian". I do | not know if it is your first name, last name or made-up | username. So I have no clue what your gender is and I'd default | to "they". If I knew, I could call you by the right pronouns. | | It's just a slow shift away from assuming everyone on the | internet is a man. | hinkley wrote: | I hesitate to call it virtue signalling because there are | other forms of social signalling that aren't about virtue. | Safe spaces require effort from the members who already feel | safe. | | Putting (he/him) in does three things. It invites you to | provide your own. It also stops someone from starting a side- | argument about you assuming 'he/him' in your response instead | of you/your or they/their. Which means that we can talk about | what we want to talk about instead of gender politics, if you | don't feel like it. Or we can if you need to. | Karawebnetwork wrote: | It also make it so that trans people won't be outed as | trans for having their pronouns in their profiles. If only | trans people did that, you'd automatically know who is | trans and who isn't. Now that everyone is adding those, you | can't say. | fennecfoxen wrote: | It also serves as a flag that allows people to identify you | as having bought into the general set of practices which | strive to change our culture to support trans and nonbinary | gender ideology. | centimeter wrote: | I.e. it's a sort of political armband indicating you've | fully submitted to globo-corpo neoliberal ideology. | fennecfoxen wrote: | I'm not sure I would call it that at all. Silicon Valley | is _not_ the world and, in the corporate world, this | remains a very California / Silicon Valley phenomenon | (present but less strong in a few key other places -- New | York, Seattle, Portland come to mind). | | It is of course also a university-campus phenomenon | (especially private universities) but those aren't really | "corpo". For that matter, the Wikimedia Foundation is | only "corpo" insofar as a 501(c)(3) is technically in | fact a corporation -- unlikely to be within the meaning | of what you intended. | | On that note, it is more prominent in the nonprofit | sector, perhaps due to volunteers being more predisposed | to activism in general. (Mozilla was a bellwether.) | chungus_khan wrote: | Not sure exactly what you think pronouns have to do with | neoliberalism? I don't really associate the likes of | Thatcher, Reagan, Friedman, or Hayek with anything of the | sort. | | I also think globo-corpo neoliberal is a bit redundant, | no? | centimeter wrote: | "Liberal" and "neoliberal" have both been hijacked by | progressives thoroughly enough that no one associates | colloquial usage of either of those with Friedman or | Hayek. | | Friedman and Hayek were certainly not globo-corpo, | considering that they believed in things like freedom of | association, covenants, and other legal protections that | work against the likes of Amazon or Wal-mart (who are | primarily interested in undermining unions, using | strategies to diminish worker cohesion like diversity | quotas, and strategies to defang leftism like trans | activism). | Frondo wrote: | And if our culture doesn't already support trans and non- | binary people (ideology? no, it's people we're talking | about), then that seems like it'd be a good thing to | change. | fennecfoxen wrote: | Support of people may be involved, and this is a poor | forum to litigate deep problems -- but if I trusted the | diversity-and-inclusion apparatus of Silicon Valley in | general to support the _entirety_ of Title VI of the | Civil Rights Act, including the inconvenient parts about | people of differing religions, then I might not been | predisposed to choose that word. | | Even your reply highlights it. "It's about people." | Notice the manner in which you _correct_ my rather | anodyne words. The fault is that I did not frame the | question as you would have me frame it, and looked at a | part of the general phenomenon that is different from you | think deserves to be centered on. | | You are welcome to your ideology, in any event, and it | would be a poor world indeed where one could not act to | change the world in accordance with one's conscience. | [deleted] | Frondo wrote: | Would you please stop editing your post? | | You've made several substantial changes -- far beyond the | scope of a clarification -- and now I'm reluctant to | respond at all because who knows what it'll say next. | Spare_account wrote: | Not the same person but for what it's worth: the edit | period is limited to a few minutes and it exists for a | reason. This topic (gender identity/pronoun use) is | important to approach carefully and is exactly when the | edit window should be used. | throwaway_pdp09 wrote: | The edit window's about an hour | [deleted] | Karawebnetwork wrote: | There is no such thing as "transgender ideology". You | won't find those words on any credible sources. | | There are transgender people who want to access their | human rights. Transgender people do not choose their | gender identity. | kepler1 wrote: | It's appropriate that the commenter below uses the phrase | "bought in", because that conveys the general sense of | mob/unthinking latching onto this movement. One which I'm | quite disappointed to see companies just caving to, through | little insertions of ridiculous practices like these. | | Having everyone declare their gender is a little bit | ridiculous, just to serve the desires of a ~1% group who are | trying to gain more recognition. I am frankly surprised how | people are willing to distort their behavior when they refuse | to do so for other groups who are far more downtrampled in | their rights in greater percentages. I suppose somehow | transsexual people just became popular for some reason. | | Frankly, it's a symbol and problem of the modern | liberal/democratic mind (at least at the party-level) that | these problems rise to the level of national and corporate | attention -- and apparently we solved all our other material | needs and have time to spend on this in comparison. | Karawebnetwork wrote: | You project a lot of problems onto people who provide their | pronouns in their user descriptions. | | Not everyone is American, and not all issues are about | American politics. | | I find it interesting how much emphasis has been placed on | an afterthought that I edited in. A lot of really emotional | reactions like yours. I described it as a beneficial side | effect and suddenly the whole conversation is about "evil | trans people" and "bad liberals". | | Having your pronouns available is beneficial to more than | just trans people. It benefits everyone, avoids mistakes | and makes conversations more accurate. It also breaks the | myth that there are no women online and that there are no | computer-savvy women. It also brings visibility to non- | binary people who are otherwise invisible. | simcop2387 wrote: | This person has decided to provide the pronouns he would like | to be used when referred to | DoreenMichele wrote: | I have begun putting she/her in some of my profiles (twitter, | reddit) because I still get mistaken for a man at times. To be | fair, my middle name -- Michele -- can be a male name in some | places. It's the Italian version of Michael, IIRC. | | It is my personal policy to not correct people who misgender me | in most cases, especially if that is the only thing I would be | saying (I will sometimes clarify if it is part of a larger | comment, but I try to be gentle about it). I would rather put | that info somewhere and let them have the chance to learn of it | without me having to correct someone. | | Different people have different reasons for noting their | pronouns. Some do it because it is trendy. Some do it because | they have genuinely been misidentified in online spaces. Some | do it to show themselves as allies to certain groups. | | Without him saying why he did it, no one here can genuinely | tell you why he chose to do so. | throwaway_pdp09 wrote: | With my name I get presumed to be a woman - who cares? I | don't. | DoreenMichele wrote: | Some people care. Some don't. | | If you care so very little about this issue, why bother | replying to me to suggest I shouldn't? If you really don't | care, then you shouldn't even be reading this crap. There | is plenty of other stuff to read elsewhere that isn't on | this subject. | throwaway_pdp09 wrote: | Fair point, fair point. It wasn't thought through. Sorry. | | But it leads to the question of why it matters - should | it? If we treat all equally, should it matter? I don't | see myself as female, but neither a 'man', as I don't | much relate to common cultural depictions of men, which I | find distasteful. I am what I am, names won't change that | so I don't care. Why do you? | | BTW I know a few trans people and I suspect most of them | would roll their eyes at this excessive care not to | offend anyone with wrong pronouns. They expect people to | get it right but it's no disaster if someone got it | wrong. None of them are snowflakes. Consideration towards | trans people needs more basic considerations such as not | being called a freak on public transport (this happened | to a tgirl I know). | DoreenMichele wrote: | _But it leads to the question of why it matters - should | it?_ | | In theory, it shouldn't. In practice, it does. | | People who think I am male speak to me differently than | when they know I am a woman. Since I am trying to | establish an adequate income, my experience is that if | people have an issue with me being a woman, it's better | for that to be sorted _before_ they interact with me, not | _after._ | | If someone is willing to meet me in person, thinks I'm | male and then meets me and sees I'm a woman, that's | likely to go badly. I don't want to waste my time on | that, much less risk facing potential drama because of | it. | | The reality is it ends up mattering whether I want it to | matter or not. So I try to make it the least drama I can | arrange given the tools available to me. I find that a | quiet heads up is better than trying to hide my gender | and is also better than putting people on the spot and | correcting them in "public" and in a way that will make | them feel attacked for simply not knowing. | throwaway_pdp09 wrote: | > In theory, it shouldn't. In practice, it does | | If this is a problem, it needs tackling much more than | the facile overlay of pronouns. | | Now, just from _my_ experience, and I 'm just | reporting... | | > speak to me differently than when they know I am a | woman | | This has never happened to me. Always been treated | equally either way. Maybe I've been lucky. | | > ...and then meets me and sees I'm a woman | | I have the occasional reverse happen. It has never, ever, | caused any problem. Which does not invalidate your | experience, I'm just giving mine. | DoreenMichele wrote: | I do a lot more to tackle the issue than providing my | pronouns. I don't have them in my HN profile. I do have | them in my Reddit and Twitter profiles. | | Part of the reason is I've been on HN eleven years and | there is abundant opportunity for people to discover my | gender organically in comments here. | | Different tools are appropriate in different situations. | narenkeshav wrote: | I've been seeing this trend quite often these days. | jamiequint wrote: | Virtue signaling | function_seven wrote: | When people list their preferred pronouns, why list them all? | | Here we have "he/him". Sometimes I see "he/him/his" or | "she/her/hers", "they/them/theirs", etc. | | I doubt people are mixing and matching among the different | types. In other words, I've never seen someone prefer | "he/them/hers". | | Seems like we can standardize this to just one type (e.g. the | subject pronoun). A simple "he", "she", or "they" will do the | trick. | | Yes, I bikeshedded it. Sue me. | geogriffin wrote: | I think it's just more clear that they are listing pronouns, | especially if someone isn't familiar with the practice or in | verbal speech. Also note that some people use two sets of | pronouns, with equal weight, and may list them such as | "she/they". | jamiequint wrote: | I've seen a lot of he/they or she/they lately | Karawebnetwork wrote: | It also allow people who are not comfortable using | "they/them" to know what to use. | beervirus wrote: | It is a way of virtue signaling. | Amorymeltzer wrote: | Preferred gender pronoun: | | >Preferred gender pronouns or personal gender pronouns (often | abbreviated as PGP) refer to the set of third-person pronouns | that an individual prefers that others use in order to identify | that person's gender (or lack thereof). In English, when | declaring one's preferred pronouns, a person will often state | the subject and object pronouns along with the possessive | adjectives--for example, "she, her, hers", "he, him, his", or | "they, them, theirs"--although sometimes, only the subject and | object pronouns are stated ("he, him", "she, her", "they, | them"). | | https://en.wikipedia.org/wiki/Preferred_gender_pronoun | centimeter wrote: | It signifies that you've submitted to corporatist | neoliberalism. | DanBC wrote: | Chris is a name used for men and women. He's letting you know | he identifies as male. | harryf wrote: | I know the full analysis isn't online but I have a problem with | this part... | | > This was done out of an abundance of caution, after we received | one (1) user report of being logged in as someone else. | | This _seems_ like a knee-jerk reaction to one data point. | | There could be other causes for a user to report that, like a | change to the cache key used for serving a users profile giving | the _appearance_ that you're logged in as someone else, even | though you're not really. | | Forcing everyone to re-login could potentially make the system | worse, in that you're now overloading parts of the system that | has to handle those logins, plus causing all kinds of cache | expiry... | | I guess there's more to the story and someone who knows the | system deeply knew this was the right choice but just reading the | reports it seems knee-jerkish. | jeremyjh wrote: | It seems adequately explained in the next sentence. | | > Said report coincided with the deployment of a new MediaWiki | release which caused other problems around User session | objects; | [deleted] | usmannk wrote: | Bugtracker: https://phabricator.wikimedia.org/T264370 | foolfoolz wrote: | i worked at a company that spent 6 months and 2 devs to solve a | huge infrastructure change without logging anyone out of their | session | aeyes wrote: | Depends on the type of application, 99.9% of Wikimedia users | are using the site without being logged in. | | If the site doesn't work without being logged in you could | frustrate users and they might just use a different product | instead of searching for their login after being logged in for | a year or longer. | kazinator wrote: | That doesn't seem difficult; just don't change the format of | the session tokens. | | Eg a web application: you can substantially rewrite a web | application, without invalidating logged in sessions. | | The point here is that the logged in sessions were suspected of | being unauthorized. The unauthorized sessions had to be turfed, | and the clearest way of being sure that all unauthorized | sessions are turfed is to delete all the sessions. | | Of course, some those with unauthorized access will also try to | log in to resume that unauthorized access, but presumably there | is some trap laid for that. | | Maybe for the accounts suspected of having been breached, there | will be a mandatory password recovery procedure or whatever. Or | they will monitor for suspicious logins from different IP | addresses. | pvg wrote: | You can have state sitting in (serverside) session storage | that is incompatible with the new version but you don't want | users to lose. So now you have to migrate it, which can end | up being actual work depending on the change. | dahart wrote: | Isn't that a tad different than discovering an active security | hole? | 2ion wrote: | Logging people out seems like a hella low price to pay to pay | for a potential security issue. Of course, hats off if you hold | your engineering organization to such a high standard for | normal changes. | kazinator wrote: | Not logging anyone out while upgrading the kernel of a time- | sharing operating system: nice feat. | | Not logging anyone out while updating a suite of REST-ful | applications: ho hum. | aerovistae wrote: | Geez, that's a new one. | punnerud wrote: | The same happened in Norway on a governmental page a couple of | years ago. It then was a memcache problem that made other | people see one persons tax report. | | It also happened a couple of days ago again. The cause is not | known: | https://translate.googleusercontent.com/translate_c?depth=1&... | rmetzler wrote: | I have seen the same issue with caching in varnish when | cashing rules were naive or some proxy stripped relevant | headers like Cookie. | leoh wrote: | Fun fact: income for every citizen is publicly available in | Norway. | gnud wrote: | Income is sort-of publicly available (less so than it used | to be), but the details of tax filings/returns are not. | punnerud wrote: | Was until 2017, only the highest earners is fully public | now. You can search on everyone, but the person can see | that you have checked them (cleared every year). | | There exist services where you can pay $5 per search to | avoid this the history. | flemhans wrote: | I remember back in the days, I disconnected my dial-up modem and | re-connected with another public IP. Upon refreshing Hotmail, I | was presented with another user's mailbox. | | I was never able to reproduce the glitch. | s_dev wrote: | This seems all very reasonable. Look forward to the post mortem. | | Given their size on both the web in terms of employees this | unusual for Wikimedia. They typically fly under the radar. How | many times has Wikipedia ever been down? | | I recall AWS, Google, Microsoft having more outages -- mind they | probably are considerably bigger but still they're doing | something right. | dheera wrote: | There are enough copies of Wikipedia that if it has ever been | down you could just get the same content elsewhere, so people | don't usually make the same fuss about it that they would about | AWS/Google/Microsoft. | | AWS/Google being down for even a minute or two is a big deal | though. | middleclick wrote: | How many people read Wikipedia other than from the main | website? What's the source on that? | dheera wrote: | Me? I've seen it down a couple times before, and when it | was, I just Googled for another copy of the article instead | of posting "Wikipedia is down! OMG the world is ending!" | all over the internet as people do when AWS is down. | middleclick wrote: | So that makes it anecdotal. I thought that's something | others do as well. I personally don't even know where | else to look for articles. I also don't trust other | sources or possibly outdated mirrors. | codegladiator wrote: | Curious why do you trust (in cases where trust is even | required) wikipedia ? | | I am under the impression that anyone can build credit | and write what they think is correct. Do you check the | linked sources and verify as such ? | dheera wrote: | If it's a controversial topic (e.g. history of Tibet), | yes. | | If it's just an article about the history of pianos or | CPUs or something, the probability of misinformation is | much lower, the consequences of being misinformed are | much lower, and I don't usually bother. Many times I just | browse Wikipedia because I want to learn about weird | animals or off-the-beaten-path places on Earth or culture | or something like that. | | (By the way, primary sources also sometimes have their | drawbacks as well; they can often be politically | motivated, biased and not tell you the full story, and | Wikipedia is effectively peer-reviewed for a lot of | articles.) | NegativeLatency wrote: | Prior to having a cellphone data plan (2013) I kept a copy | of most Wikipedia articles on my laptop for use when | traveling and being away from easy internet access. | fireattack wrote: | What do you mean by "Given their size on both the web in terms | of employees this unusual for Wikimedia"? | | (I knew this likely just a typo, but I genuinely didn't figure | out what you meant.) | jshen wrote: | it's not hard to have high uptime for content that is largely | static. Has less to do with size than static versus dynamic, | and accurate (think bank transactions) vs fuzzy (search | results) | | edit: fixed a typo | kashif wrote: | it isn't static - just wordy. You are confusing lots of text | for staticness. | jshen wrote: | I explained what I meant by static here: | https://news.ycombinator.com/item?id=24665764 | outworlder wrote: | > it's not hard to have high uptime for content that is | largely static | | Largely static? There are edits happening all the time. | filleokus wrote: | Compared to something like Slack or Office 365 products it | could as well be carved in stone. I'm guessing 99+ % of | requests are non-authenticated, the data is easy to cache | and freshness (on the timescale of minutes or hours) is | almost worthless. | | Even something as simple as HN probably have much much | lower value of "usefulness if the service is served | completely static from caches", due to upvotes and | comments. If the front-page and comments stayed static both | during breakfast and lunch, my WFH routine would sadly be | impacted... | bawolff wrote: | > freshness (on the timescale of minutes or hours) is | almost worthless. | | On the contrary, users get very angry if stuff isn't | fresh. | | Someone changes trump article to say he is a poopy head. | If that gets fixed in 2 seconds, no big deal. If that | gets cached, and the edit to fix it doesnt hit the caches | for a couple hours, wikipedia is now the top story on | CNN. | | Generally wikipedia caches are expected to be updated | within seconds or minutes at most. | filleokus wrote: | Okay, that's fair, my view was too simplistic. But still, | Wikipedia could probably get away with days of 1-5 minute | cache refreshes if it was required? Especially if some | banner informed users about it or something. | | I think my larger points still stand. In comparison, | almost all other services at the scale of wikipedia have | critical almost-realtime components, and is almost | useless without the possibility to authenticate users | (which can't really be cached). | | Not saying that the people who manage to keep Wikipedia | so stable are doing an easy task, just that it's very | different from almost all other things on the web. | bawolff wrote: | I've sometimes heard wikipedia described as a "large | scale static site plus a medium scale social network". | The caching is a bit more complex than a naive static | site due to churn rate and freshness requirements, but | fundamentally you are right, without frontend varnish | caching, wikipedia would be very different in terms of | hosting requirements and scaling complexity. | kakwa_ wrote: | I'm also wondering if the caching strategy they are using | is a naive one (ie: cache is valid for a fix duration, | like 5 minutes) or if it's a more active one (like | stakeoverflow), with cache in validations each time a | page is modified/commented on. | bawolff wrote: | There is cache invalidation each time a page (or one of | its dependencies. Pages depend on lots of other pages) is | modified. | | Assuming things havent changed, each varnish server | listens for purges via multicast udp. | _joe wrote: | Purges have been migrated to kafka as a mean of | transport, at long last. So now if a purging daemon | crashes, purge requests are not lost. | | You can see per-server stats on purges happening here: | | https://grafana.wikimedia.org/d/RvscY1CZk/purged?orgId=1 | marcan_42 wrote: | But everyone sees the same edited version when not logged | in, which is the vast majority of users, so you can just | throw a huge cache in front, which is what they do. And | most edits only touch one page, so the churn is tiny | relative to the cache size. | | This is a much easier service to reliably engineer than | something like Twitter. For SRE purposes, Wikipedia is | mostly static. | logram wrote: | From [1]: | | > Wikipedia develops at a rate of over 1.9 edits per | second, performed by editors from all over the world. | Currently, the English Wikipedia includes 6,167,378 | articles and it averages 598 new articles per day. | | Doesn't seem to be much, to be honest. | | [1]: https://en.wikipedia.org/wiki/Wikipedia:Statistics | bawolff wrote: | Note: edits sometimes affect multiple pages (in extreme | cases, edits can affect millions of pages. The lua script | (which is a wiki page editable like any other) | Module:arguments is used on over 25 million pages). | | There generally is a bit of a long tail effect. Popular | pages get edited a lot, but they also get viewed a lot. | It can be expensive when everyone is viewing and editing | the same page (Micheal Jackson's death is a famous | example that caused downtime, although changes were made | to make things more robust so it wouldn't happen again) | MrStonedOne wrote: | The way they designed everything, this doesn't matter. its | still static, in that the content is not generated at | access time, at least for logged out users. | | If the actual servers go down all that means is that | wikipedia is read only and the caching reverse proxies that | also receive a push update during modifications would just | serve the last version of pages. (except anybody with login | cookies, valid or not, would get 500 responses) | jshen wrote: | Right, but if the backend goes down, and you serve a stale | cached version of the page that is missing the latest edit, | it's fine and you have no downtime. That's what I mean by | static. | | The opposite of static would be an e-commerce site where | you can't take transactions if the backend is down and you | really don't want to oversell your inventory, so you need | the inventory management system to be up for the site to | "work". | | Also, the average wikipedia page probably isn't edited very | often. | hackonr wrote: | SSR would be more accurate definition than static. | jshen wrote: | I don't think they are mutually exclusive. I have no idea | how wikipedia works, but I've run a lot of high volume | relatively static sites. A simple thing that works very | well is to do SSR, but serve it through a CDN like akamai, | then configure akamai to serve a static/cached version if | the backend is down. Assuming everything is working, you | get a semi dynamic SSR model, but if something goes down, | the site is still served and you have no customer facing | downtime. | bawolff wrote: | Wikipedia basically uses varnish as their own CDN (they | having caching servers in SF, texas, Virginia, singapore | and amsterdam. Backend servers are in Virginia with hot | backup in texas) | jshen wrote: | Thanks for sharing. We did it that way for a site I | worked on until a ddos brought varnish down. Then we put | Akamai in front and never had a problem again. This was | over a decade ago, it's wasn't as easy back then to auto | scale a varnish layer in the cloud. | bawolff wrote: | Wikipedia generally tries to take the approach of doing | things they can themselves and using open source | whereever possible. Most of the setup is documented at | https://wikitech.wikimedia.org and there is a public | puppet repo with all the server configs | https://github.com/wikimedia/puppet | | That said, i think they do now use cloudflate's bgp based | magic transport ddos protection product to help against | ddos | brian_cloutier wrote: | wikipedia pages are very easy to cache and caching them | likely provides a massive benefit, so if we're talking | about uptime static is probably a better description of | what is happening than SSR. | | You are right that technically it's SSR, but that's not | what's relevant here. | aidos wrote: | I've not looked for a long time but the last time I edited | it, it was close to realtime* | | *in the web sense - don't want to offend any of the real | real-time people :-) | jedberg wrote: | Sure, but if the dynamic stuff was down, you just wouldn't | be able to edit, but the static part would keep humming | right along and never get counted as an outage. | bawolff wrote: | > Sure, but if the dynamic stuff was down, you just | wouldn't be able to edit, but the static part would keep | humming right along and never get counted as an outage. | | Frontend cache gets skipped if you have a session cookie | (logged in or have been logged in recently or made an | edit logged out). So if you edit something, subsequent | views are not hitting the static site, so you would | notice if it was down | jedberg wrote: | Yeah, that's how reddit works too, but there are multiple | layers of caching behind the CDN that would still hide | certain types of outages. | bawolff wrote: | Wikipedia has a second layer of cache after that of the | article html without user interface which is stored in | memcache & db (in mediawiki speak this is referred to as | the "parser cache"). However typically if the site is | down,that layer would go down too, so only the varnish | servers really have the potential to hide outages. | M2Ys4U wrote: | There is some non-edit dynamic stuff too; some templates | are written in lua | | These templates can pull information in from outside of | the specific Wikipedia instance, like retrieving | properties from Wikidata. | | Edit: I guess I was wrong, seems like lua modules are | only evaluated when there's a change to a page | incorporating them: | | >The programs are run only when the page is "parsed" | (when it or a page it incorporates is changed or | previewed), not every time you view the output. | | https://en.wikipedia.org/wiki/Help:Lua_for_beginners#Inpu | t | bawolff wrote: | You were kind of right - page gets reparsed (and frontend | cdn cache cleared, along with a backend cache cleared) | anytime someone edits a wikidata entry the lua script | uses. | z3t4 wrote: | You can also think reads vs writes. Like when there are | many reads but few writes it makes sense to have replicas, | but if there are many writes and little reads you are | better off with "sharding". You can also think RAID, where | you have mirrors vs stripes. Often though the two concepts | are combined, like in RAID 0+1 or RAID 1+0. Scaling many | reads are much more simple then scaling both read/writes | though. The holy grail of computing/databases is to build a | database that can scale both reads _and_ writes while | having decent performance and latency. | donatj wrote: | I believe the Steam Web Store had a similar issue of people being | logged in as the wrong user a couple years back. | cheeze wrote: | This is a very common 'advanced failure scenario.' I've seen it | on a handful of sites, session objects and caching are | difficult and sometimes overlooked during migrations. | gizmo385 wrote: | That was a caching issue if I remember correctly, as opposed to | users be "logged in" as a different user. | punnerud wrote: | Love MediaWiki as a platform. I host several of them. Hope the | interactive editor in PHP soon get out of beta. | gerdesj wrote: | Do you mean the Visual Editor? That's been available for | several years now. Getting the back end for it running can be a | bit fraught. | | I wrote this: https://www.mediawiki.org/wiki/Intranet and keep | it up to date every now and then. It's probably time for me to | look at 1.36. Anyway, the current Parsoid based thing works | fine. | bawolff wrote: | I think the grandparent means the new version in 1.35 where | the backend should just "work" (i think it is out of beta | now) | tomc1985 wrote: | Assuming session ID's are tied to individual users and looked up | via a "SELECT * from sessions where id='?'" type query, how does | this even happen? | duderific wrote: | Not scoping a variable properly (causing a variable to leak out | to global scope) could also cause this. | bawolff wrote: | Not usually in php, where each request has no shared state | with any other (outside of apc, memcached) | TheRealPomax wrote: | Remember | https://www.theregister.com/2015/12/30/steam_security_blip_e... | ? | kace91 wrote: | Badly designed caches for example. Though I have no idea what | happened in this particular case. | mmaunder wrote: | I'm reminded that MediaWiki runs on PHP, which isn't much loved | here on HN, but does power some of the busiest sites in the | world, and PHP 7 and 8 have done a great job of moving the | language and performance forward. | nurettin wrote: | It needs to scale reads using in-memory caches. After that, all | it needs to do is to be able to handle 10-20 posts a second and | you're golden. | ibejoeb wrote: | It's been quite a while since I've looked at mediawiki. Has any | of the codebase been transition to modern PHP? | edoceo wrote: | Not really, PHP is very backwards compatibility and I don't | see lots of "modern" PHP (eg Traits, etc) in the code. I last | looked at their release from a few months ago. | | I do lots of PHP migration work (4 to 5, 5 to 7) and for much | of it it just works. | | Not much code change is necessary to the the upgraded | features of the engine. | bawolff wrote: | I feel like "traits" is just one particular feature, which | by itself is not a good proxy for whether php is modern | | Disclaimer: am mediawiki dev. No opinion on if the codebase | is "modern" because everyone defines that differently. | Kiro wrote: | This reminds of a thing that happened on MSN back in the day when | I suddenly started to receive random users' chat messages in one | of my chats. It only lasted a few minutes and it was all | different kind of languages. Never heard anything about it but in | retrospect it felt very serious. Imagine the same thing happening | on Facebook Messenger or Whatsapp. | polygot wrote: | I had a similar issue happen to myself (not on wikimedia or | anything related to wikipedia.) I clicked on "login" by accident | without filling in my credentials and I was logged in as either | an admin user or a user called "Adam". | kevmo wrote: | I wish every service did this on a weekly basis. | johnnyfaehell wrote: | You can delete your cookies on a weekly basis and it'll be like | they did. | dylan604 wrote: | Or just block cookies and never have this issue | Xylakant wrote: | Judging from the error description, deleting cookies would | likely not help in this case. This sounds as if sessions are | mixed up on the server side - deleting your cookie will only | remove your session token, not remove the session server- | side. You'd need to actually send a logout request to the | server. | hinkley wrote: | Clearing your cookies might mean you won't log into someone | else's account, but somebody else might still log in as | you. | t0astbread wrote: | I wish every service that has something like user sessions | provided the ability to revoke other sessions of your account. | Then, if the site isn't too hard to automate, you could write a | program for that. | prionassembly wrote: | Do they mean employees? My Wikipedia login lasts for 30 days, I | think. I basically only login to edit articles that require so. | Otherwise I just edit as anonymous. | dredmorbius wrote: | No. Everyone. | M2Ys4U wrote: | No, users. I just had to log in, despite recently being active. | I guess this is why. | 8ytecoder wrote: | I have seen this behaviour on Facebook, ages ago. Reported it and | yet nothing came out of it. | jayar95 wrote: | That doesnt surprise me. They will let highly problematic | security issues persist for weeks | frakkingcylons wrote: | Have any examples? | andrewmcwatters wrote: | I've always wondered if this class of cache issue resulted | primarily from collisions of some sort. I've only seen it a | handful of times over many years. Others here have mentioned it | with services using Varnish, for instance. | andrewla wrote: | I remember early in the history of E*Trade, I went to my account, | and it showed someone else's name and account information. Didn't | even bother reporting it (I was just a kid); just logged off and | on again and withdrew everything from my account and never looked | back. ___________________________________________________________________ (page generated 2020-10-02 23:00 UTC)