When logging into my dev wikis (post session manager), CentralAuth logins fail with "No active login attempt is in progress for your session." whenever the password hash is updated as part of the login process.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Bawolff | T122164 Better limitation on number of password guesses people can make | |||
Restricted Task | |||||
Duplicate | None | T122123 Send echo notification to user of how many failed logins there was since last successful login | |||
Open | None | T122248 Password/login related security issues (Tracking) | |||
Restricted Task | |||||
Restricted Task | |||||
Resolved | demon | T124940 MediaWiki 1.26.3 security release | |||
Resolved | csteipp | T116030 Increase pbkdf2 parameter strengths (2015/2016) | |||
Resolved | None | T127396 Logins with CentralAuth fail when password re-hashed |
Event Timeline
It's not so much that the password hash is updated as it is that the update is calling CentralAuthUser::setPassword() with $resetAuthToken true, which changes the auth token. But the User object being used by CentralAuthSessionProvider has a different CentralAuthUser instance, which has already been loaded and doesn't know there's a new auth token, so it winds up storing the old token into the session, so the session fails to load on the next pageview.
Two possibilities for fixing this come to mind:
- Arrange for CentralAuthUser::getInstance() to return the same instance if passed two different User objects for the same user.
- Set some sort of flag to tell other CentralAuthUser instances for the same username that they need to reload.
Change 271803 had a related patch set uploaded (by Anomie):
Track CAS tokens for loaded users
Change 272642 had a related patch set uploaded (by Paladox):
Cache CentralAuthUsers more aggressively
Change 273273 had a related patch set uploaded (by Paladox):
Cache CentralAuthUsers more aggressively
Change 273273 abandoned by Krinkle:
Cache CentralAuthUsers more aggressively
Reason:
Was intentionally not backported to wmf.13 yesterday.