Page MenuHomePhabricator

Logging out immediately logs you back in
Closed, ResolvedPublic

Description

I am unable to log out of Wikimedia from the English Wikipedia. Immediately after pressing "logout", I get centrally logged in again. I am using Monobook on Safari.

Other people seem to have the same problem, see https://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Incidents#No_longer_able_to_log_out_.28thank_you.2C_WMF.21.29

Related Objects

Event Timeline

Kusma created this task.Jan 22 2016, 12:18 PM
Kusma updated the task description. (Show Details)
Kusma raised the priority of this task from to Needs Triage.
Kusma added a subscriber: Kusma.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 22 2016, 12:18 PM
Glaisher triaged this task as Unbreak Now! priority.Jan 22 2016, 12:28 PM
Glaisher added a subscriber: Glaisher.

I can also reproduce this issue. This seems pretty UBN to me.

This is a security issue. If an admin logs in on a public computer - like in a library or in their office's common area - they try to log out but don't notice that they didn't: then the next person using that machine has admin rights on WP which they probably aren't entitled to.

JEumerus added a subscriber: JEumerus.

Seeing as this seems to be an issue with the CentralAuth function, adding two associated projects.

Probably related: T124406

Reedy added a subscriber: Reedy.Jan 22 2016, 12:41 PM

It's presumably related to the session updates in .11

I can logout fine from enwiki, FWIW, as can other people

Joe added a subscriber: Joe.Jan 22 2016, 12:42 PM

I can logout as well, FWIW. The issue clearly exists though.

Samtar added a subscriber: Samtar.Jan 22 2016, 1:02 PM
Bugreporter added a subscriber: Bugreporter.EditedJan 22 2016, 2:04 PM

Also reproduced in enwiki, zhwiki, wikidatawiki, metawiki, mediawikiwiki. However logging out at loginwiki probably don't have this problem.

Fae added a subscriber: Fae.Jan 22 2016, 2:09 PM

What's going on here is that logging out on a wiki other than loginwiki isn't invalidating the session that exists on loginwiki, so CentralAuth's "auto-login if you're logged in on loginwiki" code is immediately logging you back in.

I can't reproduce in my normal Firefox profile because apparently I have some cookie setting that breaks that CA auto-login, but I can reproduce on a newly-created profile.

I'm working on a fix for it now.

This comment was removed by Ankit-Maity.

I can't reproduce in my normal Firefox profile because apparently I have some cookie setting that breaks that CA auto-login, but I can reproduce on a newly-created profile.

Cannot replicate this on the (latest) Firefox either.

Per suggestion at ANI:
Also, then, to prevent a 'probable' disaster, could all sessions be invalidated on server-side.

Reedy added a comment.Jan 22 2016, 3:44 PM

Per suggestion at ANI:
Also, then, to prevent a 'probable' disaster, could all sessions be invalidated on server-side.

Then what? They log in again, and we're back to square one?

There will be either a fix, or a rollback to .10 until we have a fix

Change 265748 had a related patch set uploaded (by Anomie):
SessionManager: Add SessionBackend::setProviderMetadata()

https://gerrit.wikimedia.org/r/265748

Change 265749 had a related patch set uploaded (by Anomie):
SessionManager: Track whether the session is supposed to be CA or Local

https://gerrit.wikimedia.org/r/265749

Change 265750 had a related patch set uploaded (by Anomie):
SessionManager: Add SessionBackend::setProviderMetadata()

https://gerrit.wikimedia.org/r/265750

Change 265751 had a related patch set uploaded (by Anomie):
SessionManager: Track whether the session is supposed to be CA or Local

https://gerrit.wikimedia.org/r/265751

csteipp merged a task: Restricted Task.Jan 22 2016, 4:31 PM
csteipp added subscribers: csteipp, Krenair, Hazard-SJ.

Per suggestion at ANI:
Also, then, to prevent a 'probable' disaster, could all sessions be invalidated on server-side.

Then what? They log in again, and we're back to square one?

There will be either a fix, or a rollback to .10 until we have a fix

Correct, maybe after the fix.

Change 265750 merged by jenkins-bot:
SessionManager: Add SessionBackend::setProviderMetadata()

https://gerrit.wikimedia.org/r/265750

Reedy added a comment.Jan 22 2016, 4:40 PM

Per suggestion at ANI:
Also, then, to prevent a 'probable' disaster, could all sessions be invalidated on server-side.

Then what? They log in again, and we're back to square one?

There will be either a fix, or a rollback to .10 until we have a fix

Correct, maybe after the fix.

Yes, maybe after. Doing it before would've been pointless if they logged in again

Change 265751 merged by jenkins-bot:
SessionManager: Track whether the session is supposed to be CA or Local

https://gerrit.wikimedia.org/r/265751

Anomie closed this task as Resolved.Jan 22 2016, 4:56 PM
Anomie claimed this task.

The fix is confirmed and deployed, so I'm going to mark this as resolved.

Invalidating all existing sessions is being worked on, and should happen in a little bit.

Change 265748 merged by jenkins-bot:
SessionManager: Add SessionBackend::setProviderMetadata()

https://gerrit.wikimedia.org/r/265748

Change 265749 merged by jenkins-bot:
SessionManager: Track whether the session is supposed to be CA or Local

https://gerrit.wikimedia.org/r/265749

Legoktm reopened this task as Open.Jan 23 2016, 1:09 AM
Legoktm added a subscriber: Legoktm.

There've been reports that this is still happening.

We're rolling back to wmf.10 right now.

Tgr added a comment.Jan 23 2016, 1:15 AM

Happened to me a single time, incognito Chrome, enwiki I believe? I had lots of windows open and I closed the one accidentally :-/ I logged in, then out, and the CentralAuth autologin thingie immediately replaced the user toolbar on the login screen.

Tried to reproduce but could not; I don't think I did anything differently. I think this was the first time I used that test account since @Anomie patched CentralAuth so my guess is the stored metadata did not have a source key and that made the metadata merge successful. (I still only half-understand that stuff so chances are that's a stupid guess :)

greg added a subscriber: greg.Jan 23 2016, 1:16 AM

We have now rolled back all wikis to 1.27-wmf.10. This issue should be gone now (/me crosses fingers). We'll work on resolving this and moving forward next week.

I think this was the first time I used that test account since @Anomie patched CentralAuth so my guess is the stored metadata did not have a source key and that made the metadata merge successful. (I still only half-understand that stuff so chances are that's a stupid guess :)

That sounds like a good guess to me.

We have now rolled back all wikis to 1.27-wmf.10.

:(

bd808 added a subscriber: bd808.Jan 23 2016, 1:20 AM
bd808 added a comment.Jan 27 2016, 8:26 PM

1.27.0-wmf.11 is back on group1 (everything but the wikipedias) as of 2016-01-27T19:14. Please be on the lookout for any recurrence of the prior logout issues and report back here if you feel that you can reproduce.

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 31 2016, 7:16 PM
Anomie closed this task as Resolved.Feb 4 2016, 4:43 PM

Since no one reported this all last week while wmf.11 was live, let's call this resolved again.

Restricted Application added a subscriber: Urbanecm. · View Herald TranscriptMay 9 2016, 9:10 AM