|Resolved||Deskana||T75616 Tracking: API/backend issues blocking Wikipedia app development|
|Resolved||Anomie||T32788 Allow triggering of user password reset email via the API|
|Open||None||T90925 General authentication improvements for MediaWiki|
|Resolved||Anomie||T48179 Allow a challenge stage during authentication|
|Open||None||T5709 Refactoring to make external authentication and identity systems easier|
|Resolved||Tgr||T43201 UserLoadFromSession considered evil|
|Resolved||Anomie||T67493 Session is started by EditAction (problem for extensions using UserLoadFromSession hook)|
|Open||None||T55156 Provide option to force a login session to end within a certain time|
|Open||None||T89459 Modernize MediaWiki authentication system (AuthManager)|
|Resolved||Anomie||T123451 Deploy SessionManager and bot passwords|
|Declined||dduvall||T125143 Blockers to deploying 1.27-wmf.11|
|Resolved||Anomie||T125114 Accounts with user_token not set can't login to wmf.11 ("cookies not set" error)|
Should be fixed by https://gerrit.wikimedia.org/r/#/c/267066/.
What's happening here isn't actually cookies. James's account on cawiki somehow has no user_token set, so the token check done by SessionManager was failing because User::getToken() will happily generate a new token every call until that happens to be fixed. The pre-SessionManager code omitted the token check when user_token was unset.