Page MenuHomePhabricator

CentralAuth is not logging the user into loginwiki anymore
Closed, ResolvedPublic

Description

The fix for T124409: Logging out immediately logs you back in broke an unstated assumption that the session could always be re-loaded from the original request cookies, which makes the "was a session cookie provided?" check in LoginForm break, which makes it do an extra redirect after login, which makes CentralAuth not do its redirect dance with loginwiki.

This was never really guaranteed anyway, since some extension might have screwed around with the SessionMetadata and SessionCheckInfo hooks to violate the assumption, or some nonce might be valid only for the first load during the request. So the solution is probably to just save whether the session was persistent when it first gets loaded in Setup.php, and use that for the login cookie check instead.

Event Timeline

Anomie created this task.Jan 22 2016, 7:54 PM
Anomie claimed this task.
Anomie raised the priority of this task from to Needs Triage.
Anomie updated the task description. (Show Details)
Anomie added a subscriber: Anomie.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 22 2016, 7:54 PM

Change 265799 had a related patch set uploaded (by Anomie):
SessionManager: Kill getPersistedSessionId()

https://gerrit.wikimedia.org/r/265799

Change 265840 had a related patch set uploaded (by Anomie):
SessionManager: Kill getPersistedSessionId()

https://gerrit.wikimedia.org/r/265840

Change 265799 merged by jenkins-bot:
SessionManager: Kill getPersistedSessionId()

https://gerrit.wikimedia.org/r/265799

Change 265840 merged by jenkins-bot:
SessionManager: Kill getPersistedSessionId()

https://gerrit.wikimedia.org/r/265840

Anomie closed this task as Resolved.Jan 22 2016, 9:51 PM

Fixed and backported. You will, of course, have to log in one more time to get the cookies set correctly.