Hi, I'm a new wiki user and can reproduce this issue. What can I help to resolve this?

@Urbanecm It might be a bit late to tell, but earlier this year, the local community have noticed that if the users who run into the problem submit their edits before the 2010 version of the wikitext editor load completely, the submission would be succeeded and their sessions would not lose in a few days. That might be a clue about why it happens.

What I mean is that there might be some problems with the scripts (or something) which will be loaded in the very end of the editing page loading procedure, and if the script is not loaded, and the user successfully submitted their edit, the local cookie would stop the problem from occuring for some time.

I could reproduce the issue when I was a New user in Dec.2020.
Now,There are also many users to say they have the problem in groups.

Use non-globally blocked IP or confirmed right to edit also reproduced.

According to T295010, This will not log out if you are editing in debug mode.

By using controlled expriments, I am highly confident that this is caused by RefToolbar, which is enabled by default for everyone. Disabling this gadget from user preferences solves this problem, and once enabling it, I lose my login status.

I really have no clue why this script could manipulate my cookies, since I see nothing related to it in its code.

Looks like this is a CentralAuth problem: I could not create an English Wikipedia local account via CentralAuth thanks to English Wikipedia's local blocking of the web host. Thus, sending a request to a site without a local account (nor create one) somehow causes the CentralAuth-related cookies be deleted by response header. After the CentralAuth cookies got deleted, another request is sent to Chinese Wikipedia locally (due to a script loading) - without CentralAuth cookies - now Chinese Wikipedia's local login cookies are deleted too. The user is now technically "auto logged out".

I somehow auto created an English Wikipedia local account, and the problem would not happen, even if I am behind a blocked address.

This is a complex logic problem, and I am adding the CentralAuth team here.

Thanks for @MilkyDefer's comment. I can reproduce the bug every times. I have provided a stable steps to reproduce it in task description.

I am pinging @Urbanecm here to see if it is possible to pinpoint the exact problem with the code with our newest discoveries. Should I change the title?

I think we can either:

• Prevent the change of cookies related with centralauth; or
• Allow auto creation of a local account from centralauth, even if the IP address is blocked.

Mentioned in SAL (#wikimedia-operations) [2021-11-15T16:34:41Z] <urbanecm> [urbanecm@mwmaint1002 ~]$ mwscript extensions/CentralAuth/maintenance/createLocalAccount.php --wiki=enwiki 'MU test T244635 1'

I confirm the observations – https://en.wikipedia.org/w/index.php?title=MediaWiki:RefToolbar.js&action=raw&ctype=text/javascript gets loaded for my fresh zh.wikipedia account (with local IPBE), and it removes my session in its entirety. Nice found!

After I forcefully created the acc at enwiki, everything suddenly starts to work.

Apart from the potential solutions you offered, simply copying RefToolbar's code to zhwiki space should workaround the issue. A simple IA-privileged bot should be able to maintain the page if so desired. Not ideal, but better than status quo I think?

In T244635#7503879, @MilkyDefer wrote:

I am pinging @Urbanecm here to see if it is possible to pinpoint the exact problem with the code with our newest discoveries. Should I change the title?

Yes please :). Now it's finally clear what's happening. Not yet why, but we can iterate from here.

I think we can either:

• Prevent the change of cookies related with centralauth; or

Definitely worth investigation! @Majavah, do you have an idea if this happens within CA or core?

• Allow auto creation of a local account from centralauth, even if the IP address is blocked.

That's intentional, otherwise local account creation blocks would be useless (you would be able to just bypass via other projects).

In T244635#7504225, @Urbanecm wrote:

• Prevent the change of cookies related with centralauth; or

Definitely worth investigation! @Majavah, do you have an idea if this happens within CA or core?

I think this is happening in CentralAuthSessionProvider, this code block is currently my best guess.

在T244635#7504225中，@Urbanecm写道：

Apart from the potential solutions you offered, simply copying RefToolbar's code to zhwiki space should workaround the issue. A simple IA-privileged bot should be able to maintain the page if so desired. Not ideal, but better than status quo I think?

Now only the cross-domain request for RefToolbar gadget has been found to cause this problem, but there are multiple scripts in zhwiki that have cross-domain requests. I’m not sure if there are other scripts that can cause this problem?

In T244635#7505821, @Shizhao wrote:

在T244635#7504225中，@Urbanecm写道：

Apart from the potential solutions you offered, simply copying RefToolbar's code to zhwiki space should workaround the issue. A simple IA-privileged bot should be able to maintain the page if so desired. Not ideal, but better than status quo I think?

Now only the cross-domain request for RefToolbar gadget has been found to cause this problem, but there are multiple scripts in zhwiki that have cross-domain requests. I’m not sure if there are other scripts that can cause this problem?

Yes, very likely requesting the same gadget from ie. cswiki would have the same implication (your computer making a request to cs.wikipedia, which doesn't let you to autocreate an acc., which logs you out).

In T244635#7505826, @Urbanecm wrote:

In T244635#7505821, @Shizhao wrote:

在T244635#7504225中，@Urbanecm写道：

Apart from the potential solutions you offered, simply copying RefToolbar's code to zhwiki space should workaround the issue. A simple IA-privileged bot should be able to maintain the page if so desired. Not ideal, but better than status quo I think?

Now only the cross-domain request for RefToolbar gadget has been found to cause this problem, but there are multiple scripts in zhwiki that have cross-domain requests. I’m not sure if there are other scripts that can cause this problem?

Yes, very likely requesting the same gadget from ie. cswiki would have the same implication (your computer making a request to cs.wikipedia, which doesn't let you to autocreate an acc., which logs you out).

But why should it remove the entire session even on other wiki rather than just disallow the autocreation of a local account? Don't think it's appropriate.

There are some reports claiming that they encountered an auto-logout problem from their Android app. From the video they showed us, they got logged out seconds after they logged in. And we later checked one of them's CentralAuth and found that he didn't have English Wikipedia local account attached. I am wondering whether this could be related.

In T244635#7589172, @MilkyDefer wrote:

There are some reports claiming that they encountered an auto-logout problem from their Android app. From the video they showed us, they got logged out seconds after they logged in. And we later checked one of them's CentralAuth and found that he didn't have English Wikipedia local account attached. I am wondering whether this could be related.

I don't think so. To trigger this bug, you need to load resource from a different wiki (like a script, gadget or use script). AFAIK, the android app uses API for making the edits, so there's no web-based session at all. Or am I missing something?

@Urbanecm We have a new user experiencing the Android App problem. User:Evesiesta reports that he immediately gets logged out whenever he successfully logs in. Could you create a local English Wikipedia account for him and we could see whether this will solve his problem?

In T244635#7590799, @MilkyDefer wrote:

@Urbanecm We have a new user experiencing the Android App problem. User:Evesiesta reports that he immediately gets logged out whenever he successfully logs in. Could you create a local English Wikipedia account for him and we could see whether this will solve his problem?

Done. Let's see what happens.

It's midnight in his time zone and I am afraid that we need to wait for tomorrow. I will update this message as soon as I receive his feedback.

Update:
@Urbanecm "Problem solved", he said. I am now very confident that this should be the exact cause of Android App auto-logout issue. Bring the Android team in?

This is interesting. I'm curious which resources from the English Wikipedia are loaded by the Android app. Definitely yes, let's bring the Android team people too.

@Urbanecm Thanks for the heads up. Would someone mind restating the exact steps to reproduce this from the Android app?

User:YQXP123 reproduced the bug without IPBE and also not using proxy.

After this user closed the Refbar tool,the problem seems resolved. This user does not have a local account in enwiki...

According to T305025, automatically confirm that the user will be automatically logged out when accessing ruwiki.

In T244635#7596218, @Dbrant wrote:

@Urbanecm Thanks for the heads up. Would someone mind restating the exact steps to reproduce this from the Android app?

This is test at 00:38, 24 May 2022.

1. Register an account on zhwiki and request temporary ipblock-exempt. (don't login it, or gadgets may let you auto create enwiki's account.)
2. Open a VPN on Android. In this test, I use ProtonVPN free node.
3. Login to Wikipedia App, after about five to ten seconds you will get a warning that you are logged out.

After the test, I got a commons account (see https://meta.wikimedia.org/wiki/Special:CentralAuth/RainBeforeSun).

I also have this problem in plwiki. Steps to reproduce.

1. ip bloked on enwiki, but not blocked on plwiki
2. create new account on plwiki
3. try to edit any article and add a link (this is needed to be asked of CAPTCHA, only then session cookies will be lost)
4. enter correct CAPTCHA
5. click submit

Then somehow a request is sent to en.wikipedia.org where ip is blocked and a local account can not be autocreated. Then session cookies are removed.

@WMDE-leszek maybe you can have a look? Or redirect to someone who can solve this. It is also particularly annoying that at the moment a new user cannot even add link to any article in plwiki (if ip is blocked on enwiki)

@WMDE-leszek I am not really on top of this, WMDE does not maintain the related code, so I cannot be of much help, apologies.
However, I see @Urbanecm_WMF was quite active here in his non-WMF identity, maybe they could help identifying who (which WMF team etc) could help here?

No WMF team owns CentralAuth itself, in practice most recent maintenance has been done by @Zabe and myself. ConfirmEdit making cross-wiki requests sounds like a separate bug in itself, and that extension is owned by Editing-team.

In T244635#7973364, @WMDE-leszek wrote:

[...]
However, I see Urbanecm_WMF was quite active here in his non-WMF identity, maybe they could help identifying who (which WMF team etc) could help here?

Unfortunately, can't help here much either. As Majavah said, there is no WMF team assigned to maintain CentralAuth, even though it's a critical extension in our setup. Code stewardship request is pending as T252244: CentralAuth extension: Code stewardship review.

Then somehow a request is sent to en.wikipedia.org

It would be useful to track down what kind of request is made, otherwise it's hard to tell where to start looking.

If you manage to find simpler steps to reproduce, that would also help the debugging efforts.

In T244635#7591326, @Urbanecm wrote:

This is interesting. I'm curious which resources from the English Wikipedia are loaded by the Android app. Definitely yes, let's bring the Android team people too.

The app try to login on enwiki. See 2022-06-15 Updates in Description.
If you exclude English in "Wikipedia languages" settings, no requests will be sent to en.wikipedia.org. You won't be logged out.

In https://gerrit.wikimedia.org/g/mediawiki/core/+/514d941a73f90f56bc0e45fa3c755d3d3c9c5d36/includes/session/SessionManager.php#719

$metadata = {"provider":"CentralAuthSessionProvider","providerMetadata":{"CentralAuthSource":"CentralAuth"},"userId":0,"userName":null,"userToken":null,"remember":false,"forceHTTPS":false,"expires":1655393527,"loggedOut":0,"persisted":true}

Then run into Line 756
Log shows

Session "[50]CentralAuthSessionProvider<+:0:Test2>nt31sicb3fqaem4rt6j7irq1ii353tbs": Metadata has an anonymous user, but a non-anon user was provided
and
(string)$userInfo = <+:0:Test2>  // (Test2 is the account username)

Then return FALSE back to https://gerrit.wikimedia.org/g/mediawiki/core/+/514d941a73f90f56bc0e45fa3c755d3d3c9c5d36/includes/session/SessionManager.php#546
So jump into Line 565, then delete the cookies.

When I tested this locally using GlobalBlocking, I found that auto-creation actually succeeds. The IP address is globally blocked, but that is not actually checked for in CheckBlocksSecondaryAuthenticationProvider. There's a comment which says it is the responsibility of authorizeCreateAccount(), but that is not called.

That's surprising to me since I assumed this bug was about local account creation being blocked. In T244635#7504225 @Urbanecm said that it's not possible to allow local creation, but maybe it's already allowed?

In step 7 of the task description, you can see Set-Cookie headers for centralauth_User together with enwikiSession in the same request. These are cookies from CentralAuthSessionProvider::persistSession(). It's hard to see how that could happen without a successful login to enwiki.

Confirmed still happended when es.wikipedia.org block My IP range (VPS IP).
Some gadgets' JavaScript on zh.wikipedia.org load resource from es.wikipedia.org, make me suddenly logout.