Page MenuHomePhabricator
Create Task
Maniphest T145545

"No active login attempt is in progress for your session." when trying to log in on wikisource.org
Closed, DuplicatePublic
Actions

Description

I (User:Roan Kattouw (WMF)) repeatedly tried logging in on wikisource.org, and got a "No active login attempt is in progress for your session." error message. I'm logged in just fine on www.mediawiki.org. Trying to go to www.wikisource.org redirects to wikisource.org. I get the same bug if I try to log in with my non-staff account (User:Catrope).

Related Objects

Event Timeline

Catrope created this task.Sep 13 2016, 6:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 13 2016, 6:09 PM
Catrope triaged this task as Unbreak Now! priority.Sep 13 2016, 6:09 PM
Restricted Application added subscribers: Jay8g, Luke081515, TerraCodes. · View Herald TranscriptSep 13 2016, 6:09 PM
greg subscribed.Sep 13 2016, 6:19 PM
Catrope added a comment.Sep 13 2016, 6:22 PM

Headers:

P4037 Headers for failed login at wikisource
1POST https://wikisource.org/w/index.php?title=Special:UserLogin&returnto=Main+Page
2Host: wikisource.org
3User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5Accept-Language: en-US,en;q=0.5
6Accept-Encoding: gzip, deflate, br
7Referer: https://wikisource.org/w/index.php?title=Special:UserLogin&returnto=Main+Page
8Cookie: GeoIP=US:CA:San_Francisco:37.79:-122.39:v4; forceHTTPS=true; centralauth_User=Roan+Kattouw+%28WMF%29; centralauth_Session=REDACTED; CP=H2; WMF-Last-Access=13-Sep-2016; sourceswikimwuser-sessionId=REDACTED; sourceswikiUserName=Catrope; sourceswikiSession=REDACTED; forceHTTPS=true
9Connection: keep-alive
10Upgrade-Insecure-Requests: 1
11
12302 Found
13Accept-Ranges: bytes
14Age: 0
15Backend-Timing: D=1176846 t=1473790625607204
16Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
17Content-Encoding: gzip
18Content-Length: 20
19Content-Type: text/html; charset=utf-8
20Date: Tue, 13 Sep 2016 18:17:06 GMT
21Expires: Thu, 01 Jan 1970 00:00:00 GMT
22Location: https://login.wikimedia.org/wiki/Special:CentralLogin/start?token=REDACTED
23Server: mw1244.eqiad.wmnet
24Set-Cookie: sourceswikiSession=REDACTED; path=/; secure; httponly
25sourceswikiUserID=166511; expires=Thu, 13-Oct-2016 18:17:06 GMT; Max-Age=2592000; path=/; secure; httponly
26sourceswikiUserName=Roan+Kattouw+%28WMF%29; expires=Thu, 13-Oct-2016 18:17:06 GMT; Max-Age=2592000; path=/; secure; httponly
27forceHTTPS=true; path=/; httponly
28centralauth_User=Roan+Kattouw+%28WMF%29; expires=Thu, 13-Oct-2016 18:17:06 GMT; Max-Age=2592000; path=/; secure; httponly
29centralauth_Session=REDACTED; path=/; secure; httponly
30Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
31Vary: Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization
32Via: 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
33X-Cache: cp1066 pass, cp2013 pass, cp4016 pass, cp4017 pass
34X-Firefox-Spdy: h2
35p3p: CP="This is not a P3P policy! See https://wikisource.org/wiki/Special:CentralAutoLogin/P3P for more info."
36x-analytics: WMF-Last-Access=13-Sep-2016;https=1
37x-cache-status: pass
38x-client-ip: 198.73.209.4
39x-content-type-options: nosniff
40x-powered-by: HHVM/3.12.7
41x-varnish: 3574191485, 527365860, 3355738646, 1847884791
42
43GET https://login.wikimedia.org/wiki/Special:CentralLogin/start?token=REDACTED
44Host: login.wikimedia.org
45User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
46Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
47Accept-Language: en-US,en;q=0.5
48Accept-Encoding: gzip, deflate, br
49Referer: https://wikisource.org/
50Cookie: WMF-Last-Access=13-Sep-2016; loginwikiUserName=Roan+Kattouw+%28WMF%29; GeoIP=US:CA:San_Francisco:37.79:-122.39:v4; CP=H2
51Connection: keep-alive
52Upgrade-Insecure-Requests: 1
53
54302 Found
55Accept-Ranges: bytes
56Age: 0
57Backend-Timing: D=27271 t=1473790628053316
58Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
59Content-Encoding: gzip
60Content-Length: 20
61Content-Type: text/html; charset=utf-8
62Date: Tue, 13 Sep 2016 18:17:08 GMT
63Expires: Thu, 01 Jan 1970 00:00:00 GMT
64Location: https://wikisource.org/wiki/Special:CentralLogin/complete?token=REDACTED
65Server: mw1247.eqiad.wmnet
66Set-Cookie: loginwikiSession=REDACTED; path=/; secure; httponly
67loginwikiUserID=5495826; expires=Thu, 13-Oct-2016 18:17:08 GMT; Max-Age=2592000; path=/; secure; httponly
68loginwikiUserName=Roan+Kattouw+%28WMF%29; expires=Thu, 13-Oct-2016 18:17:08 GMT; Max-Age=2592000; path=/; secure; httponly
69forceHTTPS=true; path=/; httponly
70centralauth_User=Roan+Kattouw+%28WMF%29; expires=Thu, 13-Oct-2016 18:17:08 GMT; Max-Age=2592000; path=/; secure; httponly
71centralauth_Session=REDACTED; path=/; secure; httponly
72Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
73Vary: Accept-Encoding,X-Forwarded-Proto,Cookie,Authorization
74Via: 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
75X-Cache: cp1052 pass, cp2010 pass, cp4016 pass, cp4017 pass
76X-Firefox-Spdy: h2
77p3p: CP="This is not a P3P policy! See https://login.wikimedia.org/wiki/Special:CentralAutoLogin/P3P for more info."
78x-analytics: WMF-Last-Access=13-Sep-2016;https=1
79x-cache-status: pass
80x-client-ip: 198.73.209.4
81x-content-type-options: nosniff
82x-powered-by: HHVM/3.12.7
83x-varnish: 2301061874, 4235459159, 3355743678, 1847892698
84
85GET https://wikisource.org/wiki/Special:CentralLogin/complete?token=REDACTED
86Host: wikisource.org
87User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
88Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
89Accept-Language: en-US,en;q=0.5
90Accept-Encoding: gzip, deflate, br
91Referer: https://wikisource.org/
92Cookie: GeoIP=US:CA:San_Francisco:37.79:-122.39:v4; forceHTTPS=true; centralauth_User=Roan+Kattouw+%28WMF%29; centralauth_Session=REDACTED; CP=H2; WMF-Last-Access=13-Sep-2016; sourceswikimwuser-sessionId=REDACTED; sourceswikiUserName=Roan+Kattouw+%28WMF%29; sourceswikiSession=REDACTED; forceHTTPS=true; sourceswikiUserID=166511; centralauth_User=Roan+Kattouw+%28WMF%29; centralauth_Session=REDACTED
93Connection: keep-alive
94Upgrade-Insecure-Requests: 1
95
96200 OK
97Accept-Ranges: bytes
98Age: 0
99Backend-Timing: D=34382 t=1473790628241509
100Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
101Content-Encoding: gzip
102Content-Language: en
103Content-Length: 4318
104Content-Type: text/html; charset=UTF-8
105Date: Tue, 13 Sep 2016 18:17:08 GMT
106Expires: Thu, 01 Jan 1970 00:00:00 GMT
107Server: mw1275.eqiad.wmnet
108Set-Cookie: sourceswikiSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
109sourceswikiUserID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
110forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
111centralauth_User=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
112centralauth_Session=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; secure; httponly
113Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
114Vary: Accept-Encoding,Cookie,Authorization
115Via: 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
116X-Cache: cp1066 pass, cp2013 pass, cp4009 pass, cp4017 pass
117X-Firefox-Spdy: h2
118X-Frame-Options: DENY
119p3p: CP="This is not a P3P policy! See https://wikisource.org/wiki/Special:CentralAutoLogin/P3P for more info."
120x-analytics: ns=-1;special=CentralLogin;WMF-Last-Access=13-Sep-2016;https=1
121x-cache-status: pass
122x-client-ip: 198.73.209.4
123x-content-type-options: nosniff
124x-powered-by: HHVM/3.12.7
125x-ua-compatible: IE=Edge
126x-varnish: 3574199333, 527371591, 3919095061, 1847893469

Deskana subscribed.Sep 13 2016, 6:27 PM

If it's useful, I was unable to reproduce this using my staff account.

Catrope lowered the priority of this task from Unbreak Now! to Medium.Sep 13 2016, 6:33 PM

This problem went away after clearing all centralauth_Session cookies on all domains.

Anomie subscribed.EditedSep 13 2016, 8:02 PM

What seems likely to have happened here is something like this:

  1. A login somewhere, without the "remember me" option, set the centralauth_Session cookie with domain=.wikisource.org.
    • This might have been a login to a subdomain such as en.wikisource.org, or CA's auto-login web bugs for a login to a different subdomain.
  2. The CA session expires on the server side.
  3. The login on wikisource.org sets the centralauth_Session cookie as a host-only cookie (no domain set).
  4. Per RFC 6265, the browser has two different cookies named centralauth_Session that match the current domain. Both have the same path attribute. The browser should send the earlier one first.
    • Per the earlier RFC 2109, the cookie from step 1 does not match the base domain wikisource.org, so it all works fine for older browsers.
  5. PHP uses the first cookie named centralauth_Session from the Cookie header. That's the cookie from step 1, not the cookie from step 3.
  6. When CA comes back to wikisource.org to complete the login, it sees the CA session from the cookie doesn't match the CA information it expects in some manner and aborts.

For browsers following RFC 6265, the thing to do here would be to have wikisource.org set CA cookies with domain=.wikisource.org (or just domain=wikisource.org, the leading dot is supposed to be ignored). Then the cookies in steps 1 and 3 would be the same cookie instead of two different cookies and things would work fine. But that would break browsers following the older RFC 2109, because that RFC doesn't allow the domain wikisource.org to set cookies for domain=.wikisource.org (and domain=wikisource.org is considered invalid, the dot is required).

The most-compatible solution would probably be to change wikisource.org to www.wikisource.org or mul.wikisource.org, so it can set cookies for domain=.wikisource.org in all browsers.

MZMcBride mentioned this in T112730: Failure to OAuth after login on mobile.Sep 13 2016, 11:13 PM
MZMcBride subscribed.
MZMcBride added a comment.Sep 13 2016, 11:16 PM

@Catrope: I asked over at T112730#2631045 about looking at logs to see how frequent/common this error is. Could you or someone do that?

Tgr subscribed.Sep 13 2016, 11:47 PM

(When redacting session IDs, leaving the first few characters in makes debugging a lot easier.)

In T145545#2634527, @Anomie wrote:

For browsers following RFC 6265, the thing to do here would be to have wikisource.org set CA cookies with domain=.wikisource.org (or just domain=wikisource.org, the leading dot is supposed to be ignored). Then the cookies in steps 1 and 3 would be the same cookie instead of two different cookies and things would work fine. But that would break browsers following the older RFC 2109, because that RFC doesn't allow the domain wikisource.org to set cookies for domain=.wikisource.org (and domain=wikisource.org is considered invalid, the dot is required).

We could just detect it when the domain equals the current domain and set both the domain cookie and the host-only cookie. But yeah, in general running two independent applications on a domain and its subdomain is a horrible idea. Even more so if the two applications use the same software and thus identical cookie names.

MZMcBride added a comment.Oct 1 2016, 4:06 PM
In T145545#2635325, @MZMcBride wrote:

@Catrope: I asked over at T112730#2631045 about looking at logs to see how frequent/common this error is. Could you or someone do that?

With the help of a few people, https://gerrit.wikimedia.org/r/313547 has now been merged. Yay.

I don't know when it will go live in production. There are some upcoming meetings and freezes, I think.

MZMcBride mentioned this in T146843: Re-evaluate how we implement phabricator's search engine.Oct 1 2016, 4:26 PM
Tgr added a parent task: T156847: Core should be aware of the domain it is running on and render mobile domains where necessary.Feb 1 2017, 9:34 PM
Kaganer subscribed.Jul 5 2017, 5:40 PM

This error occurs for some users. Cleaning all cookies does not help.
Is there some temporary solution procedure that can be proposed?

Tgr added a comment.Jul 6 2017, 12:09 AM

If clearing *all* cookies does not help, it's probably a different bug.

Rxy subscribed.Jul 6 2017, 8:36 AM
In T145545#3408369, @Kaganer wrote:

This error occurs for some users. Cleaning all cookies does not help.
Is there some temporary solution procedure that can be proposed?

I think that bug is related with T169261 .

Deskana unsubscribed.Jul 6 2017, 11:21 AM
Ciencia_Al_Poder subscribed.Jun 30 2018, 10:43 AM

Another instance of the error when logging to commons, on mobile: T198515

Anomie added a comment.Jul 2 2018, 4:52 PM
In T145545#4326833, @Ciencia_Al_Poder wrote:

Another instance of the error when logging to commons, on mobile: T198515

That seems unlikely to be related to this specific task, despite the similar error message.

Jdlrobson mentioned this in T171398: On mobile domain, interwiki links for WMF wikis should be resolved as mobile rather than desktop.Jul 9 2019, 9:18 PM
Masumrezarock100 subscribed.Sep 17 2019, 4:46 PM
Tgr mentioned this in T156847: Core should be aware of the domain it is running on and render mobile domains where necessary.Nov 26 2019, 11:37 PM
Anomie mentioned this in T224712: Attempt to login fails several times.Apr 1 2020, 4:41 PM
Anomie merged a task: T249307: Unable to login to wikisource.org: "No active login attempt is in progress for your session.".Apr 8 2020, 4:58 PM
Anomie added a subscriber: DannyS712.
Anomie mentioned this in T249307: Unable to login to wikisource.org: "No active login attempt is in progress for your session.".Apr 8 2020, 5:01 PM
TerraCodes unsubscribed.Apr 8 2020, 11:49 PM
Anomie mentioned this in T249526: Misleading warning raised by the login API: "Fetching a token via action=login is deprecated".Apr 9 2020, 1:15 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
Tgr added a comment.Oct 16 2023, 5:43 AM

No idea why I made this a subtask of T156847: Core should be aware of the domain it is running on and render mobile domains where necessary. I probably meant T198515: "No active login attempt is in progress for your session" (LG K10 (2017)).

Tgr removed a parent task: T156847: Core should be aware of the domain it is running on and render mobile domains where necessary.Oct 16 2023, 5:44 AM
Ciencia_Al_Poder unsubscribed.Oct 16 2023, 9:10 AM
matmarex mentioned this in T351685: I keep getting logged out on Wikisource.Nov 25 2023, 4:40 AM
matmarex closed this task as a duplicate of T127650: Can't log in multilingual wikisource.Nov 28 2023, 10:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits