Page MenuHomePhabricator
Create Task
Maniphest T124409

Logging out immediately logs you back in
Closed, ResolvedPublic
Actions

Description

I am unable to log out of Wikimedia from the English Wikipedia. Immediately after pressing "logout", I get centrally logged in again. I am using Monobook on Safari.

Other people seem to have the same problem, see https://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Incidents#No_longer_able_to_log_out_.28thank_you.2C_WMF.21.29

Details

SubjectRepoBranchLines +/-
SessionManager: Add SessionBackend::setProviderMetadata()mediawiki/coremaster+20 -1
SessionManager: Track whether the session is supposed to be CA or Localmediawiki/extensions/CentralAuthmaster+53 -13
SessionManager: Track whether the session is supposed to be CA or Localmediawiki/extensions/CentralAuthwmf/1.27.0-wmf.11+53 -13
SessionManager: Add SessionBackend::setProviderMetadata()mediawiki/corewmf/1.27.0-wmf.11+20 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Kusma created this task.Jan 22 2016, 12:18 PM
Kusma raised the priority of this task from to Needs Triage.
Kusma updated the task description. (Show Details)
Kusma subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 22 2016, 12:18 PM
Reedy added projects: MediaWiki-General, MW-1.27-release (WMF-deploy-2016-01-19_(1.27.0-wmf.11)).Jan 22 2016, 12:24 PM
Reedy set Security to None.
Reedy added subscribers: Tgr, Anomie.
Glaisher triaged this task as Unbreak Now! priority.Jan 22 2016, 12:28 PM
Glaisher subscribed.

I can also reproduce this issue. This seems pretty UBN to me.

Redrose64 subscribed.Jan 22 2016, 12:36 PM

This is a security issue. If an admin logs in on a public computer - like in a library or in their office's common area - they try to log out but don't notice that they didn't: then the next person using that machine has admin rights on WP which they probably aren't entitled to.

JEumerus added projects: MediaWiki-User-login-and-signup, MediaWiki-extensions-CentralAuth.Jan 22 2016, 12:39 PM
JEumerus subscribed.

Seeing as this seems to be an issue with the CentralAuth function, adding two associated projects.

jcrespo subscribed.Jan 22 2016, 12:40 PM

Probably related: T124406

Reedy subscribed.Jan 22 2016, 12:41 PM

It's presumably related to the session updates in .11

I can logout fine from enwiki, FWIW, as can other people

Reedy removed a project: MediaWiki-General.Jan 22 2016, 12:42 PM
Joe subscribed.Jan 22 2016, 12:42 PM

I can logout as well, FWIW. The issue clearly exists though.

TheresNoTime subscribed.Jan 22 2016, 1:02 PM
Bugreporter subscribed.EditedJan 22 2016, 2:04 PM

Also reproduced in enwiki, zhwiki, wikidatawiki, metawiki, mediawikiwiki. However logging out at loginwiki probably don't have this problem.

Fae subscribed.Jan 22 2016, 2:09 PM
Betacommand subscribed.Jan 22 2016, 2:15 PM
Anomie added a comment.Jan 22 2016, 2:18 PM

What's going on here is that logging out on a wiki other than loginwiki isn't invalidating the session that exists on loginwiki, so CentralAuth's "auto-login if you're logged in on loginwiki" code is immediately logging you back in.

I can't reproduce in my normal Firefox profile because apparently I have some cookie setting that breaks that CA auto-login, but I can reproduce on a newly-created profile.

I'm working on a fix for it now.

MZMcBride subscribed.Jan 22 2016, 2:51 PM
Pmlineditor subscribed.Jan 22 2016, 2:53 PM
matmarex subscribed.Jan 22 2016, 3:22 PM
QEDK subscribed.Jan 22 2016, 3:24 PM
This comment was removed by QEDK.
QEDK added a comment.Jan 22 2016, 3:25 PM
In T124409#1955349, @Anomie wrote:

I can't reproduce in my normal Firefox profile because apparently I have some cookie setting that breaks that CA auto-login, but I can reproduce on a newly-created profile.

Cannot replicate this on the (latest) Firefox either.

QEDK added a comment.Jan 22 2016, 3:38 PM

Per suggestion at ANI:
Also, then, to prevent a 'probable' disaster, could all sessions be invalidated on server-side.

Reedy added a comment.Jan 22 2016, 3:44 PM
In T124409#1955532, @Ankit-Maity wrote:

Per suggestion at ANI:
Also, then, to prevent a 'probable' disaster, could all sessions be invalidated on server-side.

Then what? They log in again, and we're back to square one?

There will be either a fix, or a rollback to .10 until we have a fix

Nikerabbit subscribed.Jan 22 2016, 4:03 PM
gerritbot subscribed.Jan 22 2016, 4:13 PM

Change 265748 had a related patch set uploaded (by Anomie):
SessionManager: Add SessionBackend::setProviderMetadata()

https://gerrit.wikimedia.org/r/265748

gerritbot added a project: Patch-For-Review.Jan 22 2016, 4:13 PM

Change 265749 had a related patch set uploaded (by Anomie):
SessionManager: Track whether the session is supposed to be CA or Local

https://gerrit.wikimedia.org/r/265749

gerritbot added a comment.Jan 22 2016, 4:17 PM

Change 265750 had a related patch set uploaded (by Anomie):
SessionManager: Add SessionBackend::setProviderMetadata()

https://gerrit.wikimedia.org/r/265750

gerritbot added a comment.Jan 22 2016, 4:17 PM

Change 265751 had a related patch set uploaded (by Anomie):
SessionManager: Track whether the session is supposed to be CA or Local

https://gerrit.wikimedia.org/r/265751

csteipp merged a task: Restricted Task.Jan 22 2016, 4:31 PM
csteipp added subscribers: csteipp, Krenair, Hazard-SJ.
QEDK added a comment.Jan 22 2016, 4:33 PM
In T124409#1955561, @Reedy wrote:
In T124409#1955532, @Ankit-Maity wrote:

Per suggestion at ANI:
Also, then, to prevent a 'probable' disaster, could all sessions be invalidated on server-side.

Then what? They log in again, and we're back to square one?

There will be either a fix, or a rollback to .10 until we have a fix

Correct, maybe after the fix.

gerritbot added a comment.Jan 22 2016, 4:39 PM

Change 265750 merged by jenkins-bot:
SessionManager: Add SessionBackend::setProviderMetadata()

https://gerrit.wikimedia.org/r/265750

Reedy added a comment.Jan 22 2016, 4:40 PM
In T124409#1955792, @Ankit-Maity wrote:
In T124409#1955561, @Reedy wrote:
In T124409#1955532, @Ankit-Maity wrote:

Per suggestion at ANI:
Also, then, to prevent a 'probable' disaster, could all sessions be invalidated on server-side.

Then what? They log in again, and we're back to square one?

There will be either a fix, or a rollback to .10 until we have a fix

Correct, maybe after the fix.

Yes, maybe after. Doing it before would've been pointless if they logged in again

gerritbot added a comment.Jan 22 2016, 4:43 PM

Change 265751 merged by jenkins-bot:
SessionManager: Track whether the session is supposed to be CA or Local

https://gerrit.wikimedia.org/r/265751

Xaosflux subscribed.Jan 22 2016, 4:48 PM
Anomie closed this task as Resolved.Jan 22 2016, 4:56 PM
Anomie claimed this task.

The fix is confirmed and deployed, so I'm going to mark this as resolved.

Invalidating all existing sessions is being worked on, and should happen in a little bit.

gerritbot added a comment.Jan 22 2016, 5:03 PM

Change 265748 merged by jenkins-bot:
SessionManager: Add SessionBackend::setProviderMetadata()

https://gerrit.wikimedia.org/r/265748

gerritbot added a comment.Jan 22 2016, 5:03 PM

Change 265749 merged by jenkins-bot:
SessionManager: Track whether the session is supposed to be CA or Local

https://gerrit.wikimedia.org/r/265749

Reedy mentioned this in T124440: Invalidate all users sessions.Jan 22 2016, 5:10 PM
Reedy removed a subtask: T124440: Invalidate all users sessions.Jan 22 2016, 5:12 PM
Reedy added a parent task: T124440: Invalidate all users sessions.
ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2016-02-02_(1.27.0-wmf.12)).Jan 22 2016, 6:00 PM
Anomie mentioned this in T124468: CentralAuth is not logging the user into loginwiki anymore.Jan 22 2016, 7:54 PM
I_JethroBT subscribed.Jan 22 2016, 9:38 PM
Legoktm reopened this task as Open.Jan 23 2016, 1:09 AM
Legoktm subscribed.

There've been reports that this is still happening.

Legoktm added a comment.Jan 23 2016, 1:10 AM

We're rolling back to wmf.10 right now.

Tgr added a comment.Jan 23 2016, 1:15 AM

Happened to me a single time, incognito Chrome, enwiki I believe? I had lots of windows open and I closed the one accidentally :-/ I logged in, then out, and the CentralAuth autologin thingie immediately replaced the user toolbar on the login screen.

Tried to reproduce but could not; I don't think I did anything differently. I think this was the first time I used that test account since @Anomie patched CentralAuth so my guess is the stored metadata did not have a source key and that made the metadata merge successful. (I still only half-understand that stuff so chances are that's a stupid guess :)

greg subscribed.Jan 23 2016, 1:16 AM

We have now rolled back all wikis to 1.27-wmf.10. This issue should be gone now (/me crosses fingers). We'll work on resolving this and moving forward next week.

Anomie added a comment.Jan 23 2016, 1:17 AM
In T124409#1958561, @Tgr wrote:

I think this was the first time I used that test account since @Anomie patched CentralAuth so my guess is the stored metadata did not have a source key and that made the metadata merge successful. (I still only half-understand that stuff so chances are that's a stupid guess :)

That sounds like a good guess to me.

In T124409#1958564, @greg wrote:

We have now rolled back all wikis to 1.27-wmf.10.

:(

bd808 subscribed.Jan 23 2016, 1:20 AM
Tgr added a parent task: T123451: Deploy SessionManager and bot passwords.Jan 23 2016, 5:59 PM
jeremyb-phone added a subscriber: jeremyb.Jan 23 2016, 6:16 PM
greg mentioned this in T124356: Incorrect TOC and section edit links rendering in Vector due to ParserCache corruption via ParserOutput::setText( ParserOutput::getText() ).Jan 25 2016, 7:19 PM
bd808 added a comment.Jan 27 2016, 8:26 PM

1.27.0-wmf.11 is back on group1 (everything but the wikipedias) as of 2016-01-27T19:14. Please be on the lookout for any recurrence of the prior logout issues and report back here if you feel that you can reproduce.

greg mentioned this in T125143: Blockers to deploying 1.27-wmf.11.Jan 28 2016, 8:33 PM
Krinkle moved this task from Backlog to To-do on the MediaWiki-extensions-CentralAuth board.Jan 28 2016, 9:39 PM
greg added a parent task: T125143: Blockers to deploying 1.27-wmf.11.Jan 28 2016, 10:23 PM
MGChecker subscribed.Jan 31 2016, 7:16 PM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 31 2016, 7:16 PM
Anomie mentioned this in T125283: Users occasionally logged in as different users after SessionManager deployment.Jan 31 2016, 9:15 PM
Anomie closed this task as Resolved.Feb 4 2016, 4:43 PM

Since no one reported this all last week while wmf.11 was live, let's call this resolved again.

TerraCodes subscribed.Feb 6 2016, 10:20 PM
MarcoAurelio moved this task from To-do to Done on the MediaWiki-extensions-CentralAuth board.May 9 2016, 9:10 AM
Restricted Application added a subscriber: Urbanecm. · View Herald TranscriptMay 9 2016, 9:10 AM
Anomie mentioned this in T51890: Logging out on a different device logs me out everywhere else.Jul 17 2017, 2:09 PM
Tgr mentioned this in T37220: Allow per-session log out.May 7 2019, 4:58 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL