Accounts with user_token not set can't login to wmf.11 ("cookies not set" error)
Closed, ResolvedPublic
Actions

Details

	Project	Branch	Lines +/-	Subject
	mediawiki/core	wmf/1.27.0-wmf.11	+9 -9	SessionManager: Don't generate user tokens when checking the tokens
	mediawiki/core	master	+9 -9	SessionManager: Don't generate user tokens when checking the tokens

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Deskana	T75616 Tracking: API/backend issues blocking Wikipedia app development
Resolved		Anomie	T32788 Allow triggering of user password reset email via the API
Open		None	T90925 General authentication improvements for MediaWiki
Resolved		Anomie	T48179 Allow a challenge stage during authentication
Open		None	T5709 Refactoring to make external authentication and identity systems easier
Resolved		Tgr	T43201 UserLoadFromSession considered evil
Resolved		Anomie	T67493 Session is started by EditAction (problem for extensions using UserLoadFromSession hook)
Open	Feature	None	T55156 Provide option to force a login session to end within a certain time
Open		None	T89459 Modernize MediaWiki authentication system (AuthManager)
Resolved		Anomie	T123451 Deploy SessionManager and bot passwords
Declined		dduvall	T125143 Blockers to deploying 1.27-wmf.11
Resolved		Anomie	T125114 Accounts with user_token not set can't login to wmf.11 ("cookies not set" error)

Event Timeline

Jdforrester-WMF created this task.Jan 28 2016, 5:55 PM

Jdforrester-WMF assigned this task to Anomie.

Jdforrester-WMF raised the priority of this task from to Needs Triage.

Jdforrester-WMF updated the task description. (Show Details)

Jdforrester-WMF added a project: acl*security.

Jdforrester-WMF changed the visibility from "Public (No Login Required)" to "Custom Policy".

Jdforrester-WMF changed the edit policy from "All Users" to "Custom Policy".

Jdforrester-WMF changed Security from None to Software security bug.

Jdforrester-WMF added subscribers: Jdforrester-WMF, csteipp.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 28 2016, 5:55 PM

Full screenshot (redacted)

Should be fixed by https://gerrit.wikimedia.org/r/#/c/267066/.

What's happening here isn't actually cookies. James's account on cawiki somehow has no user_token set, so the token check done by SessionManager was failing because User::getToken() will happily generate a new token every call until that happens to be fixed. The pre-SessionManager code omitted the token check when user_token was unset.

bd808 added subscribers: bd808, Tgr, dduvall.Jan 28 2016, 7:41 PM

ori removed a subscriber: bd808.Jan 28 2016, 7:41 PM

bd808 added a subscriber: bd808.Jan 28 2016, 7:45 PM

Tgr added a parent task: T123451: Deploy SessionManager and bot passwords.Jan 28 2016, 8:07 PM

Jdforrester-WMF renamed this task from Can't login to cawiki (cookies not set error) to Accounts with user_token not set can't login to wmf.12 ("cookies not set" error).Jan 28 2016, 8:22 PM

Jdforrester-WMF triaged this task as Unbreak Now! priority.

Jdforrester-WMF added a project: MediaWiki-User-login-and-signup.

There is no wmf.12 yet :)

greg renamed this task from Accounts with user_token not set can't login to wmf.12 ("cookies not set" error) to Accounts with user_token not set can't login to wmf.11 ("cookies not set" error).Jan 28 2016, 8:28 PM

greg mentioned this in T125143: Blockers to deploying 1.27-wmf.11.Jan 28 2016, 8:33 PM

Ah, yes, reality lags behind me. ;-)

The fix has been backported to wmf.11 and synced.

greg added a parent task: T125143: Blockers to deploying 1.27-wmf.11.Jan 28 2016, 10:23 PM

Yup, works fine for me now.

Jdforrester-WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 28 2016, 10:23 PM

Jdforrester-WMF changed the edit policy from "Custom Policy" to "All Users".

Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 28 2016, 10:23 PM

Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

Restricted Application added a subscriber: Luke081515. · View Herald Transcript

Jdforrester-WMF removed a project: acl*security.Jan 28 2016, 10:24 PM

Jdforrester-WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".

Jdforrester-WMF changed the edit policy from "Custom Policy" to "All Users".

Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 28 2016, 10:24 PM

Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

Restricted Application added a project: acl*security. · View Herald Transcript

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 28 2016, 10:26 PM

Reedy changed the edit policy from "Custom Policy" to "All Users".

Reedy changed Security from Software security bug to None.

Tgr mentioned this in T124453: Meta login fails.Jan 29 2016, 8:25 PM

• chasemp added a project: Security.Feb 10 2020, 10:50 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM

Accounts with user_token not set can't login to wmf.11 ("cookies not set" error)Closed, ResolvedPublicActions

Details

Related ObjectsSearch...

Event Timeline

Accounts with user_token not set can't login to wmf.11 ("cookies not set" error)
Closed, ResolvedPublic
Actions

Related Objects
Search...