Page MenuHomePhabricator
Create Task
Maniphest T257853

CentralAuth edge login broken on desktop (coinciding with SameSite rollout)
Closed, DeclinedPublic
Actions

Description

After logging in on, say, hu.wikipedia.org:

  • the login itself works
  • second-level domain cookies work - I am instantly logged in on en.wikipedia.org
  • edge login doesn't work (not necessarily, see comments) - I am not instantly logged in an any of the sister projects
  • autologin works - if I wait a second or two, I get logged in on any project.

Tested in Chrome 65, 83 and 84 on Ubuntu (on mobile and desktop; also with and without "keep me logged in" - neither seems to make much difference). samesite-sandbox.glitch.me suggests I am not opted into the new SameSite treatment yet.

I think the start of this coincided with the SameSite patch rollout.

See also T258121: Logging in to a wiki sometimes fails with 'sessionfailure' error (coinciding with SameSite rollout) which might be a different incarnation of the same cookie handling problem.

Related Objects
Search...

Event Timeline

Tgr created this task.Jul 13 2020, 4:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 13 2020, 4:14 PM
Tgr updated the task description. (Show Details)Jul 13 2020, 7:58 PM
Aklapper mentioned this in T257803: Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin.Jul 15 2020, 11:07 AM
Tgr triaged this task as High priority.Jul 15 2020, 2:35 PM

This seems significantly more broken now (although the behavior is non-deterministic so it's entirely possible that it was the same on Monday and I just did not notice it). Both edge login and autologin fail sometimes; there is no obvious pattern. Same behavior in Chrome 84 (which requires SameSite) and 83 (which doesn't).

I'm also seeing two different types of autologin: an mw.notice message, and the animation replacing the user toolbar. (I know these have been around for a long time; I'm not sure what their exact relationship is.) Once, I got the notice on visiting a new wiki, then the animation on the next reload, then normal logged-in state on the third. (Which is weird. Did autologin on the first request fail to set cookies somehow? This was on 83, so not a SameSite issue.)

Visiting the login page (which triggers CA autologin) always seems to work.

Tgr added a comment.Jul 15 2020, 3:32 PM

In seems like the second-level-domain centralauth_Session cookie is only set for the current domain and for loginwiki.

Special:CentralAutoLogin/start sets an anonymous session for some projects (which is expected behavior) but only outputs a bunch of deleted cookies for others. On the projects in the first group, autologin (but not edge login) works. On the second, it doesn't.
The delete cookies are in themselves not that surprising, I've probably had a session on those wikis, which was invalidated when I logged out, so SessionManager is clearing them on the next visit. But that should not prevent initating the anonymous session, and apparently it does.

There is also a massive amount of SameSite logspam in the Chrome developer console, presumably due to all the non-authentication cookies. Unhelpfully, the errors don't name which cookie they are about. We should consider an explicit SameSite=Lax (or None) default for them, to get rid of the noise.

Tgr updated the task description. (Show Details)Jul 15 2020, 3:33 PM
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)Jul 15 2020, 3:39 PM
Tgr updated the task description. (Show Details)Jul 16 2020, 1:27 AM
Tgr mentioned this in T258121: Logging in to a wiki sometimes fails with 'sessionfailure' error (coinciding with SameSite rollout).Jul 16 2020, 4:59 PM
Tgr mentioned this in T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile.
Tgr updated the task description. (Show Details)Jul 16 2020, 5:09 PM
Tgr mentioned this in T256525: Stay logged in doesn’t work, global login doesn’t work on different projects.Jul 16 2020, 5:41 PM
Tgr renamed this task from CentralAuth edge login broken on desktop to CentralAuth edge login broken on desktop (coinciding with SameSite rollout).Jul 17 2020, 1:13 PM
mdaniels5757 subscribed.Jul 24 2020, 4:55 PM
Tgr added a parent task: T255366: SameSite cookie issues.Aug 1 2020, 12:25 PM
TheDJ mentioned this in T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.Jan 12 2022, 12:12 PM
R4356th subscribed.May 31 2023, 2:20 PM
Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Oct 7 2023, 6:28 PM
Tgr mentioned this in T347889: Investigate why CentralAuth edge login fails in browsers that do not block third-party cookies.Oct 7 2023, 7:01 PM
matmarex closed this task as Declined.Nov 28 2023, 10:15 PM
matmarex subscribed.

Same as T258121: Logging in to a wiki sometimes fails with 'sessionfailure' error (coinciding with SameSite rollout), there's nothing we can do today about this bug from 3 years ago now. Any logs we had have long since been deleted, and any faulty cookies would have expired after at most a year.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL