SECURITY: Do not treat autocreation as login for reauthentication

CVE-2025-6597 Auotcreation doesn't necessarily involve real-time user identification, it can be based on some provider identifying the user based on a session cookie or similar low-fidelity information. Do not restart the reauthentication timer. Bug: T389009 Change-Id: Icfb4d0ffe71a92421e8630a92ae302cc459aa9d6
2025-03-23 20:33:17 +01:00 · 2025-03-23 20:33:17 +01:00 · 3340302f40
commit 3340302f40
parent 35edc6c2b1
1 changed files with 11 additions and 7 deletions
--- a/includes/auth/AuthManager.php
+++ b/includes/auth/AuthManager.php
@ -1961,7 +1961,7 @@ class AuthManager implements LoggerAwareInterface {
 			$user->loadFromId( IDBAccessObject::READ_LATEST );
 			if ( $login ) {
 				$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
-				$this->setSessionDataForUser( $user, $remember );
+				$this->setSessionDataForUser( $user, $remember, false );
 			}
 			return Status::newGood()->warning( 'userexists' );
 		}
@ -2104,7 +2104,7 @@ class AuthManager implements LoggerAwareInterface {
 					] );
 					if ( $login ) {
 						$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
-						$this->setSessionDataForUser( $user, $remember );
+						$this->setSessionDataForUser( $user, $remember, false );
 					}
 					$status = Status::newGood()->warning( 'userexists' );
 				} else {
@ -2163,7 +2163,7 @@ class AuthManager implements LoggerAwareInterface {

 		if ( $login ) {
 			$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
-			$this->setSessionDataForUser( $user, $remember );
+			$this->setSessionDataForUser( $user, $remember, false );
 		}

 		return Status::newGood();
@ -2846,9 +2846,11 @@ class AuthManager implements LoggerAwareInterface {
 	/**
 	 * Log the user in
 	 * @param User $user
-	 * @param bool|null $remember
+	 * @param bool|null $remember The "remember me" flag.
+	 * @param bool $isReauthentication Whether creating this session should count as a recent
+	 *   authentication for $wgReauthenticateTime checks.
 	 */
-	private function setSessionDataForUser( $user, $remember = null ) {
+	private function setSessionDataForUser( $user, $remember = null, $isReauthentication = true ) {
 		$session = $this->request->getSession();
 		$delay = $session->delaySave();

@ -2860,8 +2862,10 @@ class AuthManager implements LoggerAwareInterface {
 		if ( $remember !== null ) {
 			$session->setRememberUser( $remember );
 		}
-		$session->set( 'AuthManager:lastAuthId', $user->getId() );
-		$session->set( 'AuthManager:lastAuthTimestamp', time() );
+		if ( $isReauthentication ) {
+			$session->set( 'AuthManager:lastAuthId', $user->getId() );
+			$session->set( 'AuthManager:lastAuthTimestamp', time() );
+		}
 		$session->persist();

 		\Wikimedia\ScopedCallback::consume( $delay );