Page MenuHomePhabricator

"No active login attempt is in progress for your session." when trying to log in on wikisource.org
Open, NormalPublic

Description

I (User:Roan Kattouw (WMF)) repeatedly tried logging in on wikisource.org, and got a "No active login attempt is in progress for your session." error message. I'm logged in just fine on www.mediawiki.org. Trying to go to www.wikisource.org redirects to wikisource.org. I get the same bug if I try to log in with my non-staff account (User:Catrope).

Event Timeline

Catrope created this task.Sep 13 2016, 6:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 13 2016, 6:09 PM
Catrope triaged this task as Unbreak Now! priority.Sep 13 2016, 6:09 PM
Restricted Application added subscribers: Jay8g, Luke081515, TerraCodes. · View Herald TranscriptSep 13 2016, 6:09 PM
greg added a subscriber: greg.Sep 13 2016, 6:19 PM

Headers:

1POST https://wikisource.org/w/index.php?title=Special:UserLogin&returnto=Main+Page
2Host: wikisource.org
3User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5Accept-Language: en-US,en;q=0.5
6Accept-Encoding: gzip, deflate, br
7Referer: https://wikisource.org/w/index.php?title=Special:UserLogin&returnto=Main+Page
8Cookie: GeoIP=US:CA:San_Francisco:37.79:-122.39:v4; forceHTTPS=true; centralauth_User=Roan+Kattouw+%28WMF%29; centralauth_Session=REDACTED; CP=H2; WMF-Last-Access=13-Sep-2016; sourceswikimwuser-sessionId=REDACTED; sourceswikiUserName=Catrope; sourceswikiSession=REDACTED; forceHTTPS=true
9Connection: keep-alive
10Upgrade-Insecure-Requests: 1
11
12302 Found
13Accept-Ranges: bytes
14Age: 0
15Backend-Timing: D=1176846 t=1473790625607204
16Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
17Content-Encoding: gzip
18Content-Length: 20
19Content-Type: text/html; charset=utf-8
20Date: Tue, 13 Sep 2016 18:17:06 GMT
21Expires: Thu, 01 Jan 1970 00:00:00 GMT
22Location: https://login.wikimedia.org/wiki/Special:CentralLogin/start?token=REDACTED
23Server: mw1244.eqiad.wmnet
24Set-Cookie: sourceswikiSession=REDACTED; path=/; secure; httponly
25sourceswikiUserID=166511; expires=Thu, 13-Oct-2016 18:17:06 GMT; Max-Age=2592000; path=/; secure; httponly
26sourceswikiUserName=Roan+Kattouw+%28WMF%29; expires=Thu, 13-Oct-2016 18:17:06 GMT; Max-Age=2592000; path=/; secure; httponly
27forceHTTPS=true; path=/; httponly
28centralauth_User=Roan+Kattouw+%28WMF%29; expires=Thu, 13-Oct-2016 18:17:06 GMT; Max-Age=2592000; path=/; secure; httponly
29centralauth_Session=REDACTED; path=/; secure; httponly
30Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
31Vary: Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization
32Via: 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
33X-Cache: cp1066 pass, cp2013 pass, cp4016 pass, cp4017 pass
34X-Firefox-Spdy: h2
35p3p: CP="This is not a P3P policy! See https://wikisource.org/wiki/Special:CentralAutoLogin/P3P for more info."
36x-analytics: WMF-Last-Access=13-Sep-2016;https=1
37x-cache-status: pass
38x-client-ip: 198.73.209.4
39x-content-type-options: nosniff
40x-powered-by: HHVM/3.12.7
41x-varnish: 3574191485, 527365860, 3355738646, 1847884791
42
43GET https://login.wikimedia.org/wiki/Special:CentralLogin/start?token=REDACTED
44Host: login.wikimedia.org
45User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
46Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
47Accept-Language: en-US,en;q=0.5
48Accept-Encoding: gzip, deflate, br
49Referer: https://wikisource.org/
50Cookie: WMF-Last-Access=13-Sep-2016; loginwikiUserName=Roan+Kattouw+%28WMF%29; GeoIP=US:CA:San_Francisco:37.79:-122.39:v4; CP=H2
51Connection: keep-alive
52Upgrade-Insecure-Requests: 1
53
54302 Found
55Accept-Ranges: bytes
56Age: 0
57Backend-Timing: D=27271 t=1473790628053316
58Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
59Content-Encoding: gzip
60Content-Length: 20
61Content-Type: text/html; charset=utf-8
62Date: Tue, 13 Sep 2016 18:17:08 GMT
63Expires: Thu, 01 Jan 1970 00:00:00 GMT
64Location: https://wikisource.org/wiki/Special:CentralLogin/complete?token=REDACTED
65Server: mw1247.eqiad.wmnet
66Set-Cookie: loginwikiSession=REDACTED; path=/; secure; httponly
67loginwikiUserID=5495826; expires=Thu, 13-Oct-2016 18:17:08 GMT; Max-Age=2592000; path=/; secure; httponly
68loginwikiUserName=Roan+Kattouw+%28WMF%29; expires=Thu, 13-Oct-2016 18:17:08 GMT; Max-Age=2592000; path=/; secure; httponly
69forceHTTPS=true; path=/; httponly
70centralauth_User=Roan+Kattouw+%28WMF%29; expires=Thu, 13-Oct-2016 18:17:08 GMT; Max-Age=2592000; path=/; secure; httponly
71centralauth_Session=REDACTED; path=/; secure; httponly
72Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
73Vary: Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization
74Via: 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
75X-Cache: cp1052 pass, cp2010 pass, cp4016 pass, cp4017 pass
76X-Firefox-Spdy: h2
77p3p: CP="This is not a P3P policy! See https://login.wikimedia.org/wiki/Special:CentralAutoLogin/P3P for more info."
78x-analytics: WMF-Last-Access=13-Sep-2016;https=1
79x-cache-status: pass
80x-client-ip: 198.73.209.4
81x-content-type-options: nosniff
82x-powered-by: HHVM/3.12.7
83x-varnish: 2301061874, 4235459159, 3355743678, 1847892698
84
85GET https://wikisource.org/wiki/Special:CentralLogin/complete?token=REDACTED
86Host: wikisource.org
87User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
88Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
89Accept-Language: en-US,en;q=0.5
90Accept-Encoding: gzip, deflate, br
91Referer: https://wikisource.org/
92Cookie: GeoIP=US:CA:San_Francisco:37.79:-122.39:v4; forceHTTPS=true; centralauth_User=Roan+Kattouw+%28WMF%29; centralauth_Session=REDACTED; CP=H2; WMF-Last-Access=13-Sep-2016; sourceswikimwuser-sessionId=REDACTED; sourceswikiUserName=Roan+Kattouw+%28WMF%29; sourceswikiSession=REDACTED; forceHTTPS=true; sourceswikiUserID=166511; centralauth_User=Roan+Kattouw+%28WMF%29; centralauth_Session=REDACTED
93Connection: keep-alive
94Upgrade-Insecure-Requests: 1
95
96200 OK
97Accept-Ranges: bytes
98Age: 0
99Backend-Timing: D=34382 t=1473790628241509
100Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
101Content-Encoding: gzip
102Content-Language: en
103Content-Length: 4318
104Content-Type: text/html; charset=UTF-8
105Date: Tue, 13 Sep 2016 18:17:08 GMT
106Expires: Thu, 01 Jan 1970 00:00:00 GMT
107Server: mw1275.eqiad.wmnet
108Set-Cookie: sourceswikiSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
109sourceswikiUserID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
110forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
111centralauth_User=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
112centralauth_Session=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
113Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
114Vary: Accept-Encoding,Cookie,Authorization
115Via: 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
116X-Cache: cp1066 pass, cp2013 pass, cp4009 pass, cp4017 pass
117X-Firefox-Spdy: h2
118X-Frame-Options: DENY
119p3p: CP="This is not a P3P policy! See https://wikisource.org/wiki/Special:CentralAutoLogin/P3P for more info."
120x-analytics: ns=-1;special=CentralLogin;WMF-Last-Access=13-Sep-2016;https=1
121x-cache-status: pass
122x-client-ip: 198.73.209.4
123x-content-type-options: nosniff
124x-powered-by: HHVM/3.12.7
125x-ua-compatible: IE=Edge
126x-varnish: 3574199333, 527371591, 3919095061, 1847893469

If it's useful, I was unable to reproduce this using my staff account.

Catrope lowered the priority of this task from Unbreak Now! to Normal.Sep 13 2016, 6:33 PM

This problem went away after clearing all centralauth_Session cookies on all domains.

Anomie added a subscriber: Anomie.EditedSep 13 2016, 8:02 PM

What seems likely to have happened here is something like this:

  1. A login somewhere, without the "remember me" option, set the centralauth_Session cookie with domain=.wikisource.org.
    • This might have been a login to a subdomain such as en.wikisource.org, or CA's auto-login web bugs for a login to a different subdomain.
  2. The CA session expires on the server side.
  3. The login on wikisource.org sets the centralauth_Session cookie as a host-only cookie (no domain set).
  4. Per RFC 6265, the browser has two different cookies named centralauth_Session that match the current domain. Both have the same path attribute. The browser should send the earlier one first.
    • Per the earlier RFC 2109, the cookie from step 1 does not match the base domain wikisource.org, so it all works fine for older browsers.
  5. PHP uses the first cookie named centralauth_Session from the Cookie header. That's the cookie from step 1, not the cookie from step 3.
  6. When CA comes back to wikisource.org to complete the login, it sees the CA session from the cookie doesn't match the CA information it expects in some manner and aborts.

For browsers following RFC 6265, the thing to do here would be to have wikisource.org set CA cookies with domain=.wikisource.org (or just domain=wikisource.org, the leading dot is supposed to be ignored). Then the cookies in steps 1 and 3 would be the same cookie instead of two different cookies and things would work fine. But that would break browsers following the older RFC 2109, because that RFC doesn't allow the domain wikisource.org to set cookies for domain=.wikisource.org (and domain=wikisource.org is considered invalid, the dot is required).

The most-compatible solution would probably be to change wikisource.org to www.wikisource.org or mul.wikisource.org, so it can set cookies for domain=.wikisource.org in all browsers.

@Catrope: I asked over at T112730#2631045 about looking at logs to see how frequent/common this error is. Could you or someone do that?

Tgr added a subscriber: Tgr.Sep 13 2016, 11:47 PM

(When redacting session IDs, leaving the first few characters in makes debugging a lot easier.)

For browsers following RFC 6265, the thing to do here would be to have wikisource.org set CA cookies with domain=.wikisource.org (or just domain=wikisource.org, the leading dot is supposed to be ignored). Then the cookies in steps 1 and 3 would be the same cookie instead of two different cookies and things would work fine. But that would break browsers following the older RFC 2109, because that RFC doesn't allow the domain wikisource.org to set cookies for domain=.wikisource.org (and domain=wikisource.org is considered invalid, the dot is required).

We could just detect it when the domain equals the current domain and set both the domain cookie and the host-only cookie. But yeah, in general running two independent applications on a domain and its subdomain is a horrible idea. Even more so if the two applications use the same software and thus identical cookie names.

@Catrope: I asked over at T112730#2631045 about looking at logs to see how frequent/common this error is. Could you or someone do that?

With the help of a few people, https://gerrit.wikimedia.org/r/313547 has now been merged. Yay.

I don't know when it will go live in production. There are some upcoming meetings and freezes, I think.

Kaganer added a subscriber: Kaganer.Jul 5 2017, 5:40 PM

This error occurs for some users. Cleaning all cookies does not help.
Is there some temporary solution procedure that can be proposed?

Tgr added a comment.Jul 6 2017, 12:09 AM

If clearing *all* cookies does not help, it's probably a different bug.

Rxy added a subscriber: Rxy.Jul 6 2017, 8:36 AM

This error occurs for some users. Cleaning all cookies does not help.
Is there some temporary solution procedure that can be proposed?

I think that bug is related with T169261 .

Deskana removed a subscriber: Deskana.Jul 6 2017, 11:21 AM

Another instance of the error when logging to commons, on mobile: T198515

Anomie added a comment.Jul 2 2018, 4:52 PM

Another instance of the error when logging to commons, on mobile: T198515

That seems unlikely to be related to this specific task, despite the similar error message.