Forum:Session hijacking?

When I just logged in I got an error message, something about session hijacking. What is session hijacking and why did I get that error? SereneChaos 01:20, December 3, 2011 (UTC)


 * Your session is the period of time you're logged in for. It begins when you log in, and ends when you log out. This session is controlled by a cookie that the server gives you when you log in. Every time you load up a page, your browser shows the cookie to the server, so that the server knows who you are. That cookie is unique to you and that particular session. If someone else were to get their hands on that cookie, they could use it to log in as you without using your password - that's session hijacking. MediaWiki takes steps to prevent people from gaining access to your account through those means, and disallows certain actions when something isn't right. For example, if you try to open a rollback link as a popup, MediaWiki won't perform the rollback. When you get an error message about session hijacking, it just means that MediaWiki isn't entirely sure you are who you say you are, and to protect your account, it won't let you do what you wanted to do. The vast majority of these messages are false positives, but they also stop a lot of hacking.
 * That's what session hijacking is - as to exactly why you got the message, I don't know. If it won't let you log in at all, you should send a message to Special:Contact/bug.


 * Oh, it's a cookie grabber. Okay, thanks for the explanation! =) SereneChaos 01:50, December 3, 2011 (UTC)


 * Actually, when a user vandalizes, I go to their contibutions page, and right click/new tab to rollback every bad edit of his/hers. It's worked every time I did it.
 * Well, at least now I know what that means.


 * Roads (So Ferb, how many licks does it take to get to the center of a Tootsie Pop?) 12:15, December 6, 2011 (UTC)


 * "Open this link in a new tab" is slightly different than an actual popup. Popups can be generated with Javascript and adhere to slightly stricter rules, primarily because they aren't usually instantiated by the user. Moreover, you only get a consistent session hijacking warning if you set up the link to open as a popup, and then physically click it. If I remember correctly, running it from console doesn't generate a session hijacking warning.