Page MenuHomePhabricator
Create Task
Maniphest T124421

Response to api.php?action=login on Wikimedia wikis has some seriously sick Set-Cookie headings
Closed, ResolvedPublic
Actions

Description

Response to api.php?action=login on Wikimedia wikis has some seriously sick Set-Cookie headings.

curl -X POST -I "https://en.wikipedia.org/w/api.php?format=json&action=login" | grep -i Set-Cookie

Set-Cookie: forceHTTPS=true; path=/; httponly
Set-Cookie: enwikiSession=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; path=/; secure; httponly
Set-Cookie: enwikiUserID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
Set-Cookie: enwikiToken=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
Set-Cookie: centralauth_User=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikipedia.org; secure; httponly
Set-Cookie: centralauth_Token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikipedia.org; secure; httponly
Set-Cookie: centralauth_Session=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikipedia.org; secure; httponly
Set-Cookie: forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
Set-Cookie: forceHTTPS=true; path=/; domain=.wikipedia.org; httponly
Set-Cookie: forceHTTPS=true; path=/; httponly
Set-Cookie: forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
Set-Cookie: forceHTTPS=true; path=/; domain=.wikipedia.org; httponly
Set-Cookie: WMF-Last-Access=22-Jan-2016;Path=/;HttpOnly;Expires=Tue, 23 Feb 2016 12:00:00 GMT
Set-Cookie: GeoIP=YYYYYYYYYYYYYYYYYYYYYYYYYYY; Path=/; Domain=.wikipedia.org
  1. Why are we sending so many pre-expired cookies? I see that this is intentional, but I'm curious why it's needed.
  2. Why are we sending the 'forceHTTPS' cookies six times?

(The expired cookies serve as a good test of the client's cookie handling abilities, heh. My bot was unable to log in until I taught it to expire cookies.)

Details

SubjectRepoBranchLines +/-
Avoid forceHTTPS cookie flapping if core and CA are setting the same cookiemediawiki/extensions/CentralAuthmaster+11 -3
Avoid forceHTTPS cookie flapping if core and CA are setting the same cookiemediawiki/extensions/CentralAuthwmf/1.27.0-wmf.11+11 -3
SessionManager: Abstract forceHTTPS cookie settingmediawiki/extensions/CentralAuthwmf/1.27.0-wmf.11+23 -15
SessionManager: Abstract forceHTTPS cookie settingmediawiki/corewmf/1.27.0-wmf.11+31 -12
SessionManager: Abstract forceHTTPS cookie settingmediawiki/coremaster+31 -12
SessionManager: Abstract forceHTTPS cookie settingmediawiki/extensions/CentralAuthmaster+23 -15
Customize query in gerrit

Related Objects

Event Timeline

matmarex created this task.Jan 22 2016, 2:57 PM
matmarex raised the priority of this task from to Needs Triage.
matmarex updated the task description. (Show Details)
matmarex added a project: WMF-General-or-Unknown.
matmarex subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 22 2016, 2:57 PM
Reedy added a project: Security-Team.Jan 22 2016, 2:59 PM
Reedy set Security to None.
Reedy added subscribers: csteipp, dcausse.
matmarex added subscribers: Anomie, Reedy.Jan 22 2016, 3:00 PM
matmarex mentioned this in T124252: NEED_TOKEN error spike when 1.27-wmf.11 SessionManager was deployed to group1.Jan 22 2016, 6:04 PM
Tgr subscribed.Jan 22 2016, 6:09 PM

AIUI cookies need to be consistent now (see T124384#1954664).

Anomie added a comment.EditedJan 22 2016, 6:26 PM

Why are we sending so many pre-expired cookies? I see that this is intentional, but I'm curious why it's needed.

Before SessionManager, PHP set the session cookie and other code set/cleared the other cookies when that other code happened to be called. Now that handling of all authn cookies is in CookieSessionProvider (or CentralAuthSessionProvider), all those cookies get updated every time the session gets saved.

We could theoretically have WebResponse check whether the cookie was in $_COOKIE (or was set earlier in this request) before explicitly deleting it, if we decide that avoiding sending deletions for already-deleted cookies is something that would be useful.

Why are we sending the 'forceHTTPS' cookies six times?

  1. CookieSessionProvider setting the cookie.
  2. CentralAuthSessionProvider clearing the cookie that CookieSessionProvider set.
  3. CentralAuthSessionProvider setting the cookie with different parameters.
  4. CookieSessionProvider setting the cookie again, because step #2 cleared it and step #3 set the same name with different parameters anyway.
  5. CentralAuthSessionProvider clearing the cookie that CookieSessionProvider set.
  6. CentralAuthSessionProvider setting the cookie itself with different parameters.

We could cut out number 6 by adjusting the logic in WebResponse to more closely match the algorithm in RFC 6265 § 5.3, particularly step 11, although that could risk having broken clients fail in different ways. Cutting out the rest would be more difficult, unless we decide to let it have the 'forceHTTPS' cookie set on two different domains and rely on the code to make sure they don't get out of sync.

saper subscribed.Jan 22 2016, 9:26 PM

Steps 1-5 indicate there is something wrong in the architecture, why can't they communicate more efficiently?

gerritbot subscribed.Jan 23 2016, 6:50 PM

Change 265929 had a related patch set uploaded (by Anomie):
SessionManager: Abstract forceHTTPS cookie setting

https://gerrit.wikimedia.org/r/265929

gerritbot added a project: Patch-For-Review.Jan 23 2016, 6:50 PM

Change 265931 had a related patch set uploaded (by Anomie):
SessionManager: Abstract forceHTTPS cookie setting

https://gerrit.wikimedia.org/r/265931

gerritbot added a comment.Jan 25 2016, 3:58 AM

Change 265929 merged by jenkins-bot:
SessionManager: Abstract forceHTTPS cookie setting

https://gerrit.wikimedia.org/r/265929

gerritbot added a comment.Jan 25 2016, 3:58 AM

Change 265931 merged by jenkins-bot:
SessionManager: Abstract forceHTTPS cookie setting

https://gerrit.wikimedia.org/r/265931

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2016-02-02_(1.27.0-wmf.12)).Jan 25 2016, 4:00 AM
Anomie closed this task as Resolved.Jan 25 2016, 8:22 PM
Anomie claimed this task.
MZMcBride subscribed.Jan 25 2016, 8:24 PM

The task description provides the "before" here. Could someone please provide the "after"?

Anomie added a comment.Jan 25 2016, 8:28 PM

The "after" has fewer forceHTTPS cookies set (in most cases it should be two max), and also avoids sending "deleted" cookies if the cookie being deleted wasn't in the request to start with.

matmarex added a comment.Jan 25 2016, 8:35 PM

For future reference, the output from wmf.10, as seen right now for the same request, is:

Set-Cookie: enwikiSession=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; path=/; secure; httponly
Set-Cookie: WMF-Last-Access=25-Jan-2016;Path=/;HttpOnly;Expires=Fri, 26 Feb 2016 12:00:00 GMT
Set-Cookie: GeoIP=YYYYYYYYYYYYYYYYYYYYYYYYYYY; Path=/; Domain=.wikipedia.org
gerritbot added a comment.Jan 25 2016, 10:23 PM

Change 266415 had a related patch set uploaded (by BryanDavis):
SessionManager: Abstract forceHTTPS cookie setting

https://gerrit.wikimedia.org/r/266415

gerritbot added a comment.Jan 25 2016, 10:49 PM

Change 266423 had a related patch set uploaded (by BryanDavis):
SessionManager: Abstract forceHTTPS cookie setting

https://gerrit.wikimedia.org/r/266423

matmarex added a project: MediaWiki-User-login-and-signup.Jan 26 2016, 12:23 PM
gerritbot added a comment.Jan 26 2016, 5:27 PM

Change 266423 merged by jenkins-bot:
SessionManager: Abstract forceHTTPS cookie setting

https://gerrit.wikimedia.org/r/266423

gerritbot added a comment.Jan 26 2016, 5:37 PM

Change 266415 merged by jenkins-bot:
SessionManager: Abstract forceHTTPS cookie setting

https://gerrit.wikimedia.org/r/266415

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-01-19_(1.27.0-wmf.11)).Jan 26 2016, 6:00 PM
gerritbot added a comment.Jan 26 2016, 8:55 PM

Change 266585 had a related patch set uploaded (by Anomie):
Avoid forceHTTPS cookie flapping if core and CA are setting the same cookie

https://gerrit.wikimedia.org/r/266585

gerritbot added a comment.Jan 27 2016, 6:54 AM

Change 266585 merged by jenkins-bot:
Avoid forceHTTPS cookie flapping if core and CA are setting the same cookie

https://gerrit.wikimedia.org/r/266585

gerritbot added a comment.Jan 27 2016, 7:48 AM

Change 266671 had a related patch set uploaded (by Gergő Tisza):
Avoid forceHTTPS cookie flapping if core and CA are setting the same cookie

https://gerrit.wikimedia.org/r/266671

gerritbot added a comment.Jan 27 2016, 4:06 PM

Change 266671 merged by jenkins-bot:
Avoid forceHTTPS cookie flapping if core and CA are setting the same cookie

https://gerrit.wikimedia.org/r/266671

intracer subscribed.Mar 11 2016, 8:53 AM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:08 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL