MediaWiki

User:DWalden (WMF)/LoginNotify

< User:DWalden (WMF)

Feature documentation edit

Extension:LoginNotify

Test documentation edit

Where to test it edit

It should be enabled on most wikis on beta and production.

How to install locally edit

First, install Echo, then install LoginNotify.

(Optional, but recommended) Setup email. Also go to Special:Preferences and check that the user you are testing with has an email setup. I normally use <username>@localhost.

Capabilities edit

  • When you login successfully, you may see an email and/or Echo notification.
    • I am not sure exactly the conditions under which the notification will be sent.
    • The IP you used to login will be recorded somewhere:
      • in some cases in a cache (not sure where)
      • in cu_changes or cu_private_events (if $wgLoginNotifyUseCheckUser = true;)
      • in loginnotify_seen_net (if $wgLoginNotifyUseSeenTable = true;)
  • When an attempt to login as a username is unsuccessful (i.e. incorrect password), the username is notified (via email and/or Echo notification).
    • The wording of the email/notification will depend on whether it is a new IP address or one you have logged in with before (within a particular time span) or if you have a cookie set when you lasted successfully logged in to the account.

Important: LoginNotify looks at the subnet that the IP is a part of. /24 for IPv4 and /64 for IPv6. So IPs 1.2.3.4 and 1.2.3.5 are considered the same but 1.2.3.4 and 2.2.3.4 are considered different. When attempting to test a "new" IP address and you want to make sure LoginNotify will treat it as new, change the first number in the IP.

Techniques edit

Example scenarios to test.

Setup

Run this query in the database: ALTER TABLE loginnotify_seen_net MODIFY COLUMN lsn_time_bucket BIGINT NOT NULL;

Add this to LocalSettings.php: 

$wgCdnServersNoPurge = [ '172.0.0.1/8' ];
$wgUsePrivateIPs = true;

$wgLoginNotifyAttemptsKnownIP = 1;
$wgLoginNotifyAttemptsNewIP = 1;
$wgLoginNotifyUseCheckUser = false;
$wgLoginNotifyUseSeenTable = true;
$wgLoginNotifyCookieExpire = 0;
$wgLoginNotifySeenExpiry = 30;
$wgLoginNotifySeenBucketSize = 10;

Install a browser extension which allows you to change your X-Forward-For header. For example, this one for Firefox or Chrome.

Testing

Login successfully. In the database, run SELECT * FROM loginnotify_seen_net; to see a new row created.

After ~10 seconds (the value of $wgLoginNotifySeenBucketSize), another successful login from the same IP address will create a new row in the database.

A successful login from a new IP address should always create a new row, even within 10 seconds.

Check http://localhost:8025/ to see what email notifications have been sent.

Try to login as the same username but with an incorrect password. Check your email http://localhost:8025/.

If it is within 30 seconds (value of $wgLoginNotifySeenExpiry) of your last login and you haven't changed your IP, the email will start: There has been a failed attempt to log in to your account since the last time you logged in.

If it is a new IP, or outside of 30 seconds, the email will start: There has been a failed attempt to log in to your account from a new device.

If you fail login multiple times the email will show you a count of the number of times login failed.

Logs and debugging edit

The behaviour of LoginNotify is a bit opaque to me at times. To see what is happening in the backend, search in the logs for [LoginNotify].

Retrieved from "https://www.mediawiki.org/w/index.php?title=User:DWalden_(WMF)/LoginNotify&oldid=6120221"