Page MenuHomePhabricator

Accounts with user_token not set can't login to wmf.11 ("cookies not set" error)
Closed, ResolvedPublic

Event Timeline

Jdforrester-WMF assigned this task to Anomie.
Jdforrester-WMF raised the priority of this task from to Needs Triage.
Jdforrester-WMF updated the task description. (Show Details)
Jdforrester-WMF added a project: Security.
Jdforrester-WMF changed the visibility from "Public (No Login Required)" to "Custom Policy".
Jdforrester-WMF changed the edit policy from "All Users" to "Custom Policy".
Jdforrester-WMF changed Security from None to Software security bug.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 28 2016, 5:55 PM
Jdforrester-WMF added a comment.EditedJan 28 2016, 5:56 PM

Full screenshot (redacted)

Should be fixed by https://gerrit.wikimedia.org/r/#/c/267066/.

What's happening here isn't actually cookies. James's account on cawiki somehow has no user_token set, so the token check done by SessionManager was failing because User::getToken() will happily generate a new token every call until that happens to be fixed. The pre-SessionManager code omitted the token check when user_token was unset.

ori removed a subscriber: bd808.Jan 28 2016, 7:41 PM
Jdforrester-WMF renamed this task from Can't login to cawiki (cookies not set error) to Accounts with user_token not set can't login to wmf.12 ("cookies not set" error).Jan 28 2016, 8:22 PM
Jdforrester-WMF triaged this task as Unbreak Now! priority.
greg added a subscriber: greg.Jan 28 2016, 8:27 PM

There is no wmf.12 yet :)

greg renamed this task from Accounts with user_token not set can't login to wmf.12 ("cookies not set" error) to Accounts with user_token not set can't login to wmf.11 ("cookies not set" error).Jan 28 2016, 8:28 PM

Ah, yes, reality lags behind me. ;-)

dduvall added a comment.EditedJan 28 2016, 9:05 PM

The fix has been backported to wmf.11 and synced.

Jdforrester-WMF closed this task as Resolved.Jan 28 2016, 10:23 PM

Yup, works fine for me now.

Jdforrester-WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 28 2016, 10:23 PM
Jdforrester-WMF changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 28 2016, 10:23 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a subscriber: Luke081515. · View Herald Transcript
Jdforrester-WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".
Jdforrester-WMF changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 28 2016, 10:24 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: Security. · View Herald Transcript
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 28 2016, 10:26 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Reedy changed Security from Software security bug to None.