Page MenuHomePhabricator

CentralAuth wrongly reports successful auto-login on mirrors
Open, Needs TriagePublic

Description

Using e.g. google cache:

http://webcache.googleusercontent.com/search?q=cache:https://en.wikipedia.org/%3Ftitle%3DMs.+

It pops up "You are centrally logged in. Reload the page to apply your user settings." every time but this is obviously not true. I don't know what it did, but it didn't establish an meaningful session.

I don't know if it is feasible to prevent the auto-login attempt when it isn't useful. But at least we shouldn't report that it succeeded when it didn't.
'
Possibly related:

Event Timeline

Krinkle created this task.Jun 25 2015, 6:24 PM
Krinkle raised the priority of this task from to Needs Triage.
Krinkle updated the task description. (Show Details)
Krinkle added a subscriber: Krinkle.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 25 2015, 6:24 PM

Duplicate / generalization of https://phabricator.wikimedia.org/T57887?

T100413 is related in that we see this affect when the autologin script is run on a domain that doesn't map to a wiki id, which is currently the case for *.m.* domains at the WMF.

It would be less efficient, but we could load the personalization message via xhr, so only CORS domains could load it. I think we've talked about that previously, but I don't recall the outcome.

It would be less efficient, but we could load the personalization message via xhr, so only CORS domains could load it. I think we've talked about that previously, but I don't recall the outcome.

I don't recall that either, but I imagine one issue there is that we support a superset of browsers that support CORS. Though we can fallback to current behaviour in that case (using e.g. bool $.support.cors). Can you elaborate on what we'd use CORS for exactly?