Remove deprecated response values from ApiLogin
Closed, ResolvedPublic
Actions

Description

Long ago, the only mechanism for session management in MediaWiki was certain cookies set by the User class. When ApiLogin was written, in addition to setting these cookies as usual it also returned some of the values needed to construct these cookies on the client. Presumably this was to make things easier for clients that somehow couldn't handle the standard cookie headers.

Then CentralAuth came along. Now, constructing the cookies manually would log you in to the local wiki only, without taking advantage of the SUL mechanism.

Then T55032: Multiple users with the same session ID happened, and clients that were using the manual-construction mechanism had to update their code because one of the cookie names changed and that wasn't part of the data being returned.

And soon, we'll have SessionManager and AuthManager, which will make it possible for login to easily happen in ways that don't involve cookies at all.

So it's time to eliminate the pretense that clients can manually construct the cookies instead of handing the standard HTTP cookie headers. Tentative plan is to deprecate them now and then remove them sometime during 1.28; if anyone objects to this schedule, please raise your concerns on this task.

Details

Subject	Repo	Branch	Lines +/-
API: Remove deprecated response values from action=login	mediawiki/core	master	+0 -14
Revert "API: Remove deprecated response values from action=login"	mediawiki/core	master	+14 -0
Revert "API: Remove deprecated response values from action=login"	mediawiki/core	wmf/1.28.0-wmf.13	+14 -0
API: Remove deprecated response values from action=login	mediawiki/core	master	+3 -14
ApiLogin: Deprecate certain response values	mediawiki/core	master	+11 -0

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
					Restricted Task
		Resolved		Tgr	T121527 Remove deprecated response values from ApiLogin

Event Timeline

Anomie created this task.Dec 15 2015, 4:10 PM

Anomie claimed this task.

Anomie raised the priority of this task from to Needs Triage.

Anomie updated the task description. (Show Details)

Anomie added a project: MediaWiki-Action-API.

Anomie moved this task to Blocked on the MediaWiki-Action-API board.

Anomie subscribed.

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 15 2015, 4:10 PM

Change 259272 had a related patch set uploaded (by Anomie):
ApiLogin: Deprecate certain response values

https://gerrit.wikimedia.org/r/259272

gerritbot added a project: Patch-For-Review.Dec 15 2015, 4:13 PM

Krenair subscribed.Dec 15 2015, 4:15 PM

Change 259272 merged by jenkins-bot:
ApiLogin: Deprecate certain response values

https://gerrit.wikimedia.org/r/259272

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2015-12-15_(1.27.0-wmf.9)).Dec 15 2015, 7:00 PM

For the record, this is now blocked on "wait for 1.28 so we can remove the stuff, pending any objections".

intracer subscribed.Dec 15 2015, 8:59 PM

@Anomie: it would be good to document what 'removal of lgtoken' means exactly, as there are two (different) lgtokens. As I understand it, lgtoken in the return value (which would go into a cookie) is being removed, but we keep the (XSS) lgtoken passed by the client to api.php?

jayvdb subscribed.Dec 15 2015, 9:27 PM

The XSS lgtoken is a request parameter, not a response value.

-jem- subscribed.Dec 16 2015, 1:48 PM

Fastily subscribed.Dec 16 2015, 10:29 PM

Ricordisamoa subscribed.Dec 19 2015, 4:37 PM

• csteipp added a parent task: Restricted Task.Jan 8 2016, 3:32 PM

PeterBowman subscribed.Jan 14 2016, 5:49 PM

For anybody else who comes here horribly confused:

The token property in response of first login step is NOT deprecated, and still has to be used for the lgtoken parameter of the second login step.
The lgtoken property in response of the second login step is deprecated, and must not be used for anything.

So it's time to eliminate the pretense that clients can manually construct the cookies instead of handing the standard HTTP cookie headers.

Could anyone point me to documentation on what " handing the standard HTTP cookie headers" means? I built a JS library that was taking advantage of manually constructed cookies, and now it's broken, so I would be glad to update it to the long term/future-proof version

Thanks in advance for any help!

Maxime

In T121527#2018202, @Zorglub27 wrote:

Could anyone point me to documentation on what " handing the standard HTTP cookie headers" means? I built a JS library that was taking advantage of manually constructed cookies, and now it's broken, so I would be glad to update it to the long term/future-proof version

As far as I can see, you are using the standard HTTP cookie headers (you're parsing the set-cookie header). The old-and-incorrect way was to manually build a cookie from the content returned by the API.

In T121527#2018603, @valhallasw wrote:

As far as I can see, you are using the standard HTTP cookie headers (you're parsing the set-cookie header). The old-and-incorrect way was to manually build a cookie from the content returned by the API.

That's correct.

I'll add that if you're writing your own code to parse set-cookie headers, do make sure that you properly implement RFC 6265, particularly with respect to what happens if you're served an already-expired cookie.

Change 301393 had a related patch set uploaded (by Anomie):
API: Remove deprecated response values from action=login

https://gerrit.wikimedia.org/r/301393

Anomie moved this task from Blocked to Needs Review on the MediaWiki-Action-API board.Jul 27 2016, 3:51 PM

Change 301393 merged by jenkins-bot:
API: Remove deprecated response values from action=login

https://gerrit.wikimedia.org/r/301393

ReleaseTaggerBot added projects: MW-1.28-release (WMF-deploy-2016-08-02_(1.28.0-wmf.13)), MW-1.28-release-notes.Jul 29 2016, 10:00 AM

Anomie closed this task as Resolved.Jul 29 2016, 2:33 PM

Dalba mentioned this in T142155: Bot can't login. keyError in GetCookie.Aug 5 2016, 10:38 AM

Change 303317 had a related patch set uploaded (by Gergő Tisza):
Revert "API: Remove deprecated response values from action=login"

https://gerrit.wikimedia.org/r/303317

Change 303320 had a related patch set uploaded (by Gergő Tisza):
Revert "API: Remove deprecated response values from action=login"

https://gerrit.wikimedia.org/r/303320

Change 303320 merged by jenkins-bot:
Revert "API: Remove deprecated response values from action=login"

https://gerrit.wikimedia.org/r/303320

Change 303317 merged by jenkins-bot:
Revert "API: Remove deprecated response values from action=login"

https://gerrit.wikimedia.org/r/303317

Reopened this one because it was the change was reverted for T142155 . This should be implemented in the future, just not now.

In T121527#2531321, @Multichill wrote:

This should be implemented in the future, just not now.

It was announced seven months ago. People should really update their stuff when deprecation is announced, instead of complaining when the deprecated code is removed.

I'm going to reassign this to you, @Tgr. You can unrevert whenever you're ready.

Change 314647 had a related patch set uploaded (by Gergő Tisza):
API: Remove deprecated response values from action=login

https://gerrit.wikimedia.org/r/314647

gerritbot added a project: Patch-For-Review.Oct 7 2016, 4:38 AM

Change 314647 merged by jenkins-bot:
API: Remove deprecated response values from action=login

https://gerrit.wikimedia.org/r/314647

Anomie closed this task as Resolved.Oct 11 2016, 4:28 PM

ReleaseTaggerBot added a project: MW-1.28-release (WMF-deploy-2016-10-11_(1.28.0-wmf.22)).Oct 11 2016, 5:00 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM