Page MenuHomePhabricator
Create Task
Maniphest T109038

[Bug] Users are unable to login on wikidata.org until they clear their cookies
Closed, ResolvedPublic
Actions

Description

People are reporting that they are unable to log into wikidata.org and being redirected even though they're not logged in. Clearing all cookies fixes the issue.

Reports:

Possible cause could be rOMWC0275738d2d10: Isolate wikidata.org cookies and CORS policies?

Details

SubjectRepoBranchLines +/-
Remove wikidata CA cookie hacksoperations/puppetproduction+0 -20
refactor wikidata CA cookies workarounds a bitoperations/puppetproduction+17 -15
Another CentralAuth double cookie workaroundoperations/puppetproduction+5 -0
Fix remaining wikidata login issues: duplicate CA Useroperations/puppetproduction+5 -0
wikidata.org cookie workaround: add comments re task and when it can be removedoperations/puppetproduction+2 -0
Attempt to fix CA token issue via double-value detection -> delete on .wikidata.orgoperations/puppetproduction+6 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Aug 14 2015, 6:54 AM
Legoktm raised the priority of this task from to Unbreak Now!.
Legoktm updated the task description. (Show Details)
Legoktm added projects: WMF-General-or-Unknown, MediaWiki-extensions-CentralAuth, Wikidata.
Legoktm added subscribers: Legoktm, csteipp, Lydia_Pintscher and 3 others.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 14 2015, 6:54 AM
Mbch331 subscribed.Aug 14 2015, 7:19 AM
Lydia_Pintscher merged a task: T108999: unable to add interlanguage links due to failing to log into central data repository.Aug 14 2015, 7:30 AM
Lydia_Pintscher added subscribers: Billinghurst, Krenair, Ortjens.
Akoopal subscribed.Aug 14 2015, 7:59 AM
Magnus subscribed.Aug 14 2015, 8:09 AM

Had the same issue. Clearing cookies lets me log into Wikidata, but "locally". Logging into another Wikimedia site activates the "global" login for those. Both work now (no "you are centrally logged in" message on Wikidata again).

thiemowmde subscribed.Aug 14 2015, 9:11 AM

Could the cause of this issue and T50389: [Bug] Login issue with add language links widget be the same?

hoo added a subscriber: BBlack.Aug 14 2015, 10:02 AM

The way to go here is probably to unset the old cookies via varnish, if they exist. @BBlack can help with that.

Daniel_Mietchen subscribed.Aug 14 2015, 11:14 AM
Lydia_Pintscher renamed this task from Users are unable to login on wikidata.org until they clear their cookies to [Bug] Users are unable to login on wikidata.org until they clear their cookies.Aug 14 2015, 11:24 AM
Lydia_Pintscher set Security to None.
Lydia_Pintscher moved this task from incoming to consider for next sprint on the Wikidata board.
BBlack added a comment.Aug 14 2015, 11:54 AM

Does someone have the specific details here on what cookie name to wipe on requests to what domainname(s)?

BBlack added a comment.EditedAug 14 2015, 12:41 PM

As best I can tell from my own testing (but I think someone with deeper insight into the CORS change for (www|query).wikidata.org and S:UL and such would need to confirm this sounds sane): I was able to reproduce the issue, and I was able to apparently perma-fix it for myself by deleting the centralauth_Token cookie in my browser cookie set that was stored under "wikidata.org" (as opposed to www.wikidata.org).

From the server end, we can't tell what domain a cookie was set for, only that it matched for the browser's request. So we could, for example, put a hack in varnish to delete the centralauth_Token cookie on requests with the exact Host header "wikidata.org" just to kill the one problematic cookie, but users would actually have to visit https://wikidata.org/ to trigger the fix. We could maybe do that part by embedding a request to it in all accesses to www.wikidata.org temporarily or something like that. There might be some better application-level way of dealing with this, though.

Addshore subscribed.Aug 14 2015, 12:43 PM
Billinghurst added a comment.Aug 14 2015, 12:55 PM

A site notice would probably be really useful for WD users telling them what to do (yes, old technology)

csteipp added a comment.Aug 14 2015, 1:13 PM

@BBlack, if you're able to reproduce, can you capture the headers and send
them to me? Or post here if you're comfortable.

I'm guessing you ended up with two token/session cookies, and either guy
the wrong one or the browser sends both and we're parsing the wrong one
out. But would like to confirm

gerritbot subscribed.Aug 14 2015, 1:35 PM

Change 231556 had a related patch set uploaded (by BBlack):
Attempt to fix CA token issue via double-value detection -> delete on .wikidata.org

https://gerrit.wikimedia.org/r/231556

gerritbot added a project: Patch-For-Review.Aug 14 2015, 1:35 PM
gerritbot added a comment.Aug 14 2015, 1:56 PM

Change 231556 merged by BBlack:
Attempt to fix CA token issue via double-value detection -> delete on .wikidata.org

https://gerrit.wikimedia.org/r/231556

BBlack mentioned this in rOPUP93d255f3941b: Attempt to fix CA token issue via double-value detection -> delete on ..Aug 14 2015, 1:56 PM
matej_suchanek added a project: User-notice.Aug 14 2015, 2:05 PM
gerritbot added a comment.Aug 14 2015, 2:11 PM

Change 231558 had a related patch set uploaded (by BBlack):
wikidata.org cookie workaround: add comments re task and when it can be removed

https://gerrit.wikimedia.org/r/231558

gerritbot added a comment.Aug 14 2015, 2:12 PM

Change 231558 merged by BBlack:
wikidata.org cookie workaround: add comments re task and when it can be removed

https://gerrit.wikimedia.org/r/231558

BBlack mentioned this in rOPUP5830db7ecff6: wikidata.org cookie workaround: add comments re task and when it can be removed.Aug 14 2015, 2:12 PM
BBlack added a subscriber: JanZerebecki.Aug 14 2015, 2:14 PM

We think the workaround deployed via https://gerrit.wikimedia.org/r/231556 should fix this up well enough. It worked for @JanZerebecki who still had the old bad cookie, which the fixup wiped out. Can others confirm?

JanZerebecki closed this task as Resolved.Aug 14 2015, 2:14 PM
JanZerebecki claimed this task.
JanZerebecki changed the status of subtask T109072: [Task] Revert https://gerrit.wikimedia.org/r/#/c/231556/3 on 2015-09-14 from Open to Stalled.
JanZerebecki removed a project: User-notice.
JanZerebecki added a comment.Aug 14 2015, 5:20 PM

@csteipp Sorry I missed that. I don't have the tab open anymore. I don't remember the order but in the Cookie HTTP header there where two key-value pairs for centralauth_Token with different values. One for www.wikidata.org and one for .wikidata.org . See the patch for the regex that matched that situation. After that the .wikidata.org one was deleted. Should that also be fixed in CentralAuth?

csteipp added a comment.Aug 14 2015, 5:58 PM
In T109038#1540332, @JanZerebecki wrote:

@csteipp Sorry I missed that. I don't have the tab open anymore. I don't remember the order but in the Cookie HTTP header there where two key-value pairs for centralauth_Token with different values. One for www.wikidata.org and one for .wikidata.org . See the patch for the regex that matched that situation. After that the .wikidata.org one was deleted. Should that also be fixed in CentralAuth?

Yeah, I was mostly interested if that was in fact the issue. So confirmed.

To avoid this in the future, we could look at how CentralAuth gets the cookie and see if we can either identify the correct one or check all of the ones that come in.

JanZerebecki mentioned this in T109145: deal with two cookie values for the token.Aug 14 2015, 10:07 PM
Mbch331 added a comment.Aug 18 2015, 6:53 AM

At least one user still had this problem today. See https://www.wikidata.org/wiki/Wikidata:Project_chat#Central_login.

JanZerebecki added a comment.Aug 18 2015, 10:22 AM

Sadly there is no way to reproduce it once the cookies are deleted.

Ankry subscribed.Aug 21 2015, 11:03 PM

I hit this also tonight.

If it helps: I had two "centralauth_User" cookies: one for previously logged user and another one for currently logged user (I was relogging to another account)

BBlack added a comment.Aug 22 2015, 12:43 AM

Ah, that makes some logical sense. We should probably stripping duplicate _User the way we are for duplicate _Token to address the bulk of it....

gerritbot added a comment.Aug 22 2015, 12:48 AM

Change 233086 had a related patch set uploaded (by BBlack):
Fix remaining wikidata login issues: duplicate CA User

https://gerrit.wikimedia.org/r/233086

gerritbot added a comment.Aug 22 2015, 12:50 AM

Change 233086 merged by BBlack:
Fix remaining wikidata login issues: duplicate CA User

https://gerrit.wikimedia.org/r/233086

BBlack mentioned this in rOPUP46785c71c5ea: Fix remaining wikidata login issues: duplicate CA User.Aug 22 2015, 12:50 AM
BBlack added a comment.Aug 22 2015, 12:55 AM

Pushed a fix for deleting the duplicate centralauth_User for wikidata.org, should be in effect globally now.

Lydia_Pintscher reopened this task as Open.Aug 25 2015, 7:13 AM

Apparently people are still having issues: https://www.wikidata.org/wiki/Wikidata:Project_chat#Central_login_.282.29 :(

Sjoerddebruin subscribed.Aug 25 2015, 7:15 AM

Added a notice to our homepage, a sitenotice seems annoying to me.

JanZerebecki added a comment.Aug 26 2015, 5:38 PM

If you can still reproduce this, we need to know your cookies for wikidata.org and subdomains to be able to fix this. (At least the cookie names/keys, don't publicly publish the values. You can send me a private message through Phabricator or on wiki if you want to be sure to not accidentally publish something private.)

Keegan subscribed.Aug 27 2015, 8:21 PM
In T109038#1576174, @JanZerebecki wrote:

If you can still reproduce this, we need to know your cookies for wikidata.org and subdomains to be able to fix this. (At least the cookie names/keys, don't publicly publish the values. You can send me a private message through Phabricator or on wiki if you want to be sure to not accidentally publish something private.)

Reproduced and sent to @JanZerebecki and @aude

matej_suchanek added a project: Wikidata.org.Aug 28 2015, 9:00 AM
gerritbot added a comment.Aug 28 2015, 12:22 PM

Change 234510 had a related patch set uploaded (by JanZerebecki):
Another CentralAuth double cookie workaround

https://gerrit.wikimedia.org/r/234510

gerritbot added a comment.Aug 28 2015, 12:37 PM

Change 234510 merged by BBlack:
Another CentralAuth double cookie workaround

https://gerrit.wikimedia.org/r/234510

BBlack mentioned this in rOPUP80a1f793aadf: Another CentralAuth double cookie workaround.Aug 28 2015, 12:37 PM
JanZerebecki closed this task as Resolved.Aug 28 2015, 12:58 PM

@Keegan Thx. Should be fixed now. Please retry.

JanZerebecki added a project: Wikidata-Sprint-2015-08-18.Aug 28 2015, 12:59 PM
JanZerebecki moved this task from Backlog to Done on the Wikidata-Sprint-2015-08-18 board.
gerritbot added a comment.Aug 28 2015, 1:01 PM

Change 234517 had a related patch set uploaded (by BBlack):
refactor wikidata CA cookies workarounds a bit

https://gerrit.wikimedia.org/r/234517

gerritbot added a comment.Aug 28 2015, 3:36 PM

Change 234517 merged by BBlack:
refactor wikidata CA cookies workarounds a bit

https://gerrit.wikimedia.org/r/234517

BBlack mentioned this in rOPUPa3c073bd6354: refactor wikidata CA cookies workarounds a bit.Aug 28 2015, 3:37 PM
Keegan added a comment.Aug 28 2015, 5:06 PM

@JanZerebecki Fixed for me.

Lydia_Pintscher added a comment.Aug 28 2015, 5:59 PM

@Sjoerddebruin: This also fixed it for one of the people in the office who still had the issue. I think we can take down the note on the main page.

liangent subscribed.Aug 31 2015, 3:02 PM
Lydia_Pintscher changed the status of subtask T109072: [Task] Revert https://gerrit.wikimedia.org/r/#/c/231556/3 on 2015-09-14 from Stalled to Open.Sep 15 2015, 11:38 AM
gerritbot added a comment.Sep 15 2015, 12:17 PM

Change 238418 had a related patch set uploaded (by BBlack):
Remove wikidata CA cookie hacks

https://gerrit.wikimedia.org/r/238418

gerritbot added a comment.Sep 17 2015, 1:18 PM

Change 238418 merged by BBlack:
Remove wikidata CA cookie hacks

https://gerrit.wikimedia.org/r/238418

BBlack mentioned this in rOPUP54c35b3fa8b1: Remove wikidata CA cookie hacks.Sep 17 2015, 1:18 PM
JanZerebecki closed subtask T109072: [Task] Revert https://gerrit.wikimedia.org/r/#/c/231556/3 on 2015-09-14 as Resolved.Sep 17 2015, 2:35 PM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.Dec 15 2016, 4:19 PM
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptDec 15 2016, 4:19 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL