• canpolat@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Here is my understanding:

    Recently, a security vulnerability of Lemmy has been exploited by some malicious actors. This lead to some instances going down. The vulnerability has been fixed with version 0.18.2-rc.1 of lemmy-ui. But due to the way Lemmy issues and uses access tokens, the sessions has been invalidated in the database. So, the admins are recommending the users to log out and log back in if they haven’t done so after the upgrade to version 0.18.2-rc.1 of lemmy-ui.

    But I may be wrong. Perhaps others can provide a more accurate description.

      • canpolat@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        To be honest, I cannot be sure that session invalidation actually worked. I could use the session from the day before as well. But the vulnerability was in lemmy-ui, and people not using the web site directly should be fine, I guess. If you want to be on the safe side, you can log out and log back in. It takes only a few seconds.

  • Lodra@programming.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Where are you seeing this happen?

    Usually, a “session” represents a client being logged into a server. For example, when you log into a website like github, a user session is created and bits of it are stored in cookies in your browser. This is what allows you to continue clicking around the website for a while without having to enter credentials constantly.

    A session being invalidated usually means that the system has decided that you are no longer authenticated. For example, github hasn’t seen you clicking around the site for 60 minutes and so it logs you out. But there are many reasons why this will happen. If you want to use the site again, you have to log back in.

    FYI, this type of security is pretty basic stuff for web development. There’s loads of info available if you want to learn more.

    • canpolat@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Where are you seeing this happen?

      It’s at the top of the page when you visit programming.dev in a browser. I tried to explain what I know about it in a sibling comment.

      Sessions have been invalidated