Page MenuHomePhabricator
Create Task
Maniphest T127396

Logins with CentralAuth fail when password re-hashed
Closed, ResolvedPublic
Actions

Description

When logging into my dev wikis (post session manager), CentralAuth logins fail with "No active login attempt is in progress for your session." whenever the password hash is updated as part of the login process.

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/CentralAuthwmf/1.27.0-wmf.13+59 -25Cache CentralAuthUsers more aggressively
mediawiki/extensions/CentralAuthmaster+59 -25Cache CentralAuthUsers more aggressively
mediawiki/extensions/CentralAuthwmf/1.27.0-wmf.14+59 -25Cache CentralAuthUsers more aggressively
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Feb 18 2016, 11:32 PM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 18 2016, 11:32 PM
csteipp added a parent task: T116030: Increase pbkdf2 parameter strengths (2015/2016).Feb 18 2016, 11:35 PM
Anomie added a comment.Feb 19 2016, 4:27 PM

It's not so much that the password hash is updated as it is that the update is calling CentralAuthUser::setPassword() with $resetAuthToken true, which changes the auth token. But the User object being used by CentralAuthSessionProvider has a different CentralAuthUser instance, which has already been loaded and doesn't know there's a new auth token, so it winds up storing the old token into the session, so the session fails to load on the next pageview.

Two possibilities for fixing this come to mind:

  • Arrange for CentralAuthUser::getInstance() to return the same instance if passed two different User objects for the same user.
  • Set some sort of flag to tell other CentralAuthUser instances for the same username that they need to reload.
gerritbot added a subscriber: gerritbot.Feb 19 2016, 5:43 PM

Change 271803 had a related patch set uploaded (by Anomie):
Track CAS tokens for loaded users

https://gerrit.wikimedia.org/r/271803

gerritbot added a project: Patch-For-Review.Feb 19 2016, 5:43 PM
Tgr added a subscriber: Tgr.Feb 19 2016, 7:04 PM
In T127396#2044404, @Anomie wrote:
  • Arrange for CentralAuthUser::getInstance() to return the same instance if passed two different User objects for the same user.

That would solve other problems as well, see T127236.

gerritbot added a comment.Feb 22 2016, 9:44 PM

Change 271803 merged by jenkins-bot:
Cache CentralAuthUsers more aggressively

https://gerrit.wikimedia.org/r/271803

gerritbot added a comment.Feb 23 2016, 12:14 AM

Change 272642 had a related patch set uploaded (by Paladox):
Cache CentralAuthUsers more aggressively

https://gerrit.wikimedia.org/r/272642

gerritbot added a comment.Feb 24 2016, 12:06 AM

Change 272642 merged by jenkins-bot:
Cache CentralAuthUsers more aggressively

https://gerrit.wikimedia.org/r/272642

Anomie closed this task as Resolved.Feb 24 2016, 12:56 AM

Should be fixed now.

Nemo_bis added a project: MW-1.27-release.Feb 24 2016, 9:17 AM
gerritbot added a comment.Feb 25 2016, 5:23 PM

Change 273273 had a related patch set uploaded (by Paladox):
Cache CentralAuthUsers more aggressively

https://gerrit.wikimedia.org/r/273273

gerritbot added a comment.Feb 25 2016, 6:21 PM

Change 273273 abandoned by Krinkle:
Cache CentralAuthUsers more aggressively

Reason:
Was intentionally not backported to wmf.13 yesterday.

https://gerrit.wikimedia.org/r/273273

MarcoAurelio moved this task from Incoming to Done on the MediaWiki-extensions-CentralAuth board.Dec 15 2016, 4:17 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL