Page MenuHomePhabricator
Create Task
Maniphest T147161

Installer suggests $wgMainCacheType = CACHE_ACCEL, potentially breaking sessions
Open, HighPublic
Actions

Description

There have been an increased number of reports of people having problems with sessions on new MediaWiki 1.27 installations or upgrades to 1.27, and the problem is typically that $wgMainCacheType = CACHE_ACCEL, which causes $wgSessionCacheType to also have the value of CACHE_ACCEL. This is causing problems when the cache is not persistent across requests, and MediaWiki will complain about "session hijacking".

The problem here is that the installer itself is setting $wgMainCacheType = CACHE_ACCEL; if it detects it's appropriate, but in this case it should set $wgSessionCacheType to CACHE_DB, to be in the safe side, unless the installer is also able to detect if the main cache is able to store session information.

Ref:

Details

SubjectRepoBranchLines +/-
Set $wgSessionCacheType to CACHE_DB if CACHE_ACCEL is setmediawiki/coremaster+11 -0
Customize query in gerrit

Related Objects

Event Timeline

Ciencia_Al_Poder created this task.Oct 2 2016, 7:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 2 2016, 7:46 PM
Paladox subscribed.Oct 2 2016, 10:59 PM
Paladox added a comment.Oct 2 2016, 11:07 PM

Hi this may be related to T140961 and T140587

Since to use CACHE_ACCEL you need to have one of the caches there like apcu and xcache.

But this should now be fixed in the tasks I linked pending the patch that was cherry picked to REL1_27 being merged.

@Ciencia_Al_Poder would you be able to get the users to try https://gerrit.wikimedia.org/r/#/c/313756/ please?

And if you could reproduce the problem could you also try https://gerrit.wikimedia.org/r/#/c/313756/ please?

That would also explain my problem too using php 5.5+

Paladox added a comment.Oct 2 2016, 11:12 PM

https://github.com/wikimedia/mediawiki/blob/d175b391ae2a77e3183b2608bb4422782af092a1/includes/Setup.php#L701

Paladox added a project: MediaWiki-libs-BagOStuff.Oct 2 2016, 11:19 PM
Paladox added a project: Performance-Team.
Legoktm subscribed.Oct 2 2016, 11:54 PM

This was T49162: Installer should not default to CACHE_NONE if CACHE_ACCEL is supported / rMWb3dc2fedc5e3: installer: Choose CACHE_ACCEL as the default if available.

This is causing problems when the cache is not persistent across requests, and MediaWiki will complain about "session hijacking".

Why is CACHE_ACCEL not persistent across requests? That kind of defeats the whole point of APCu...

Legoktm edited projects, added MediaWiki-Core-AuthManager; removed Performance-Team.Oct 3 2016, 12:16 AM
Paladox added a comment.EditedOct 3 2016, 6:20 AM

@Legoktm apcu support was added yesterday so maybe this is fixed in the support?

Legoktm added a comment.Oct 3 2016, 7:13 AM
In T147161#2683519, @Paladox wrote:

@Legoktm apcu support was added yesterday so maybe this is fixed in the support?

No, that's entirely unrelated.

Paladox added a comment.Oct 3 2016, 7:20 AM

@Legoktm but you said

"Why is CACHE_ACCEL not persistent across requests? That kind of defeats the whole point of APCu..."

But if CACHE_ACCEL wasn't using apcu then it would not work as intended.

Legoktm added a comment.Oct 3 2016, 7:27 AM
In T147161#2683590, @Paladox wrote:

@Legoktm but you said

"Why is CACHE_ACCEL not persistent across requests? That kind of defeats the whole point of APCu..."

But if CACHE_ACCEL wasn't using apcu then it would not work as intended.

Paladox, I don't think you understand what the issue here is. If APC(u) wasn't detected, then the installer wouldn't have picked it. APC and APCu are interchangable names in this case.

Paladox added a comment.Oct 3 2016, 7:27 AM

Maybe we will want to set $wgSessionCacheType to CACHE_DB if we set CACHE_ACCEL?

Paladox added a comment.Oct 3 2016, 7:29 AM

Oh yep I see now, sorry.

But the apcu support will help users who did pick CACHE_ACCEL manually, to fix the session to. Thanks for explaining

Paladox mentioned this in T138168: AuthManager tokens don't match so HTML forms like login fail.Oct 3 2016, 8:13 AM
Ciencia_Al_Poder added a comment.Oct 3 2016, 9:47 AM

I don't know if they are using APCu or any other opcache detected by MediaWiki.

Also, the problem may happen if the webserver is using multiple threads to handle requests, and different requests (from the same user) reach different threads randomly, so the "persistence" is scoped to a single thread and each request gets completely different cached data.

That's an extract from an IRC conversation from yesterday:

P4145 Extract from #mediawiki IRC channel from 20161002
1[18:27:17] <Sloyment> Hi
2[18:30:26] <Sloyment> I have installed MW 1.27.1, and I can�t log in. It says: "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again."
3[18:36:48] <Vulpix> Sloyment: if you have set any cache to CACHE_ACCEL in LocalSettings.php, you may need to set $wgSessionCacheType to CACHE_DB
4[18:40:24] <Sloyment> Vulpix: Thanks :-)
5[18:41:39] <Sloyment> But I did not change LocalSettings.php; it was generated automatically with CACHE_ACCEL enabled.
6[18:43:23] <Vulpix> Sloyment: try adding $wgSessionCacheType = CACHE_DB;
7[18:56:48] <Sloyment> Vulpix: Done. It works now. :-) Thank you.

Reedy subscribed.Oct 3 2016, 11:55 AM

FWIW, APCu isn't an opcode cache. In recent versions of PHP, the opcode cache was pulled out of APC into Zend Opcache, leaving the "userland" caching of APC for storing of other stuff

And I've no idea if the APCu fixes going in help/hinder/do nothing to help this

Anomie added a comment.Oct 3 2016, 2:34 PM
In T147161#2683333, @Legoktm wrote:

Why is CACHE_ACCEL not persistent across requests?

This is probably the critical question here. The answer may have something to do with the larger infrastructure, e.g. if there's some common webserver+PHP that is hitting a case like this.

Cboltz subscribed.Oct 3 2016, 4:59 PM
Paladox added a comment.EditedOct 3 2016, 5:27 PM

Doing this

$wgMainCacheType = CACHE_ACCEL;
$wgSessionCacheType = CACHE_DB;

is still causing the same problem with mw 1.28 wmf 20.

Note: That I also had it set to CACHE_ANYTHING before and that was still causing problems too.

Anomie added a comment.Oct 3 2016, 5:41 PM
In T147161#2685170, @Paladox wrote:

Doing this

$wgMainCacheType = CACHE_ACCEL;
$wgSessionCacheType = CACHE_DB;

is still causing the same problem with mw 1.28 wmf 20.

If you're seeing a problem when $wgSessionCacheType = CACHE_DB;, that's a different problem than the problem that is being described here.

gerritbot subscribed.Oct 3 2016, 5:57 PM

Change 313844 had a related patch set uploaded (by Paladox):
Set $wgSessionCacheType to CACHE_DB if CACHE_ACCEL is set

https://gerrit.wikimedia.org/r/313844

gerritbot added a project: Patch-For-Review.Oct 3 2016, 5:57 PM
Paladox added a comment.Oct 3 2016, 6:00 PM

@Anomie hi, clearing my cache fixes the problem, but then I carn't keep clearing my cache everytime I want to login into my own wiki, T138168

Since it works in MW 1.26 but broke in 1.27, so between those two releases something broke cache and caused the new session based login system to not work as intended, but it works as intended for Wikimedia since they use varnish and memcache.

Reason I doint want to keep clearing my cache is because I doint want to keep signing into my websites and other websites.

Tgr subscribed.Oct 3 2016, 6:15 PM

Yeah, we had problems for a while with CACHE_ACCEL not being persistent (e.g. T138072: Persistent login session issue on some wikis (due to XCache not saving data across requests?)). Maybe the installer could just test for that?

In-memory caching is generally superior for sessions compared to a DB, so if we can reliably detect whether CACHE_ACCEL is persistent or not, maybe we could define something like CACHE_PERSISTENT which has a fallback chain of memcached -> accel (if persistent) -> DB?

Note that pre-1.27 sessions were stored in files (or whatever was configured in php.ini) unless $wgSessionsInObjectCache was set, so this issue will hit some sites that upgrade to 1.27 as well, not just fresh installs. If we could come up with some more clever default (non-installer) behavior that can be backported to 1.27, that would be great.

Anomie added a comment.Oct 3 2016, 7:03 PM

@Paladox: If you have $wgSessionCacheType = CACHE_DB; already, it's not the same issue. On this task I don't care what you can do to work around your issue or how inconvenient that is for you because this task is not about your issue. Go discuss your issue on T138168; I'd recommend starting with providing the information requested in T138168#2393690.

Paladox added a comment.Oct 3 2016, 7:36 PM

Hi yes sorry wrong task to disccuss my problem is.

gerritbot added a comment.Oct 4 2016, 9:23 PM

Change 313844 abandoned by Paladox:
Set $wgSessionCacheType to CACHE_DB if CACHE_ACCEL is set

https://gerrit.wikimedia.org/r/313844

cicalese subscribed.Jan 26 2017, 2:39 PM
TTO mentioned this in T156882: Session lost after upgrade to MW 1.28.Feb 1 2017, 3:28 AM
Ciencia_Al_Poder mentioned this in T160519: Jenkins Browser tests for Wikibase/Popups etc are failing: Invalid CSRF token in Selenium browser.Mar 15 2017, 10:47 PM
Ciencia_Al_Poder mentioned this in T161902: Extensions not working on a clean install of MW 1.28.0.Mar 31 2017, 5:19 PM
Ciencia_Al_Poder awarded a token.Apr 1 2017, 9:08 AM
Ciencia_Al_Poder added a comment.Apr 2 2017, 10:25 AM

With the backports of rMW61f778256c and rMW14aa034af6 into REL1_27 and REL1_28 the underlying session problem shouldn't happen anymore. Still, may be worth investigating why installer suggests CACHE_ACCEL when it doesn't work

demon mentioned this in T162077: User::pingLimiter always fails to limit when $wgMainCacheType is CACHE_NONE.Apr 3 2017, 8:41 PM
Krinkle triaged this task as High priority.Apr 7 2017, 10:47 PM
Krinkle moved this task from General to libs/objectcache on the MediaWiki-libs-BagOStuff board.
Louperivois subscribed.Jun 20 2017, 5:37 PM
Oznogon subscribed.Jun 26 2017, 10:00 PM
frabrunelle subscribed.Jul 24 2017, 5:03 AM
Osnard subscribed.Nov 22 2017, 6:58 AM
Papaul subscribed.Jul 31 2019, 2:32 AM

I am having the same problem. Everything was working fine on my Wiki until this morning when I tried to login i was getting the message below

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again.
MediaWiki 1.30.0

I had it to

$wgMainCacheType = CACHE_NONE;

when i started to have the issue this morning i set it to

$wgMainCacheType = CACHE_ACCEL;

but still having the same issue

Thanks

taavi mentioned this in T249586: Configurator omits $wgSessionCacheType.Apr 7 2020, 7:27 AM
Legoktm merged a task: T249586: Configurator omits $wgSessionCacheType.Jul 24 2020, 10:50 PM
Legoktm added subscribers: Ydhirsch, taavi.
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 16 2020, 5:10 PM
Nikerabbit subscribed.Mar 12 2021, 2:02 PM

I'd add that if CACHE_DB is used, sesions are stored in objectcache table which is unconditionally truncated every time you run update.php. This defeats the reliability of CACHE_DB for sites that frequently run update.php.

Krinkle moved this task from libs/objectcache to General on the MediaWiki-libs-BagOStuff board.Jan 22 2022, 11:25 PM
Restricted Application added a project: Performance-Team. · View Herald TranscriptJan 22 2022, 11:25 PM
Krinkle edited projects, added Performance-Team (Radar); removed Performance-Team.Jan 24 2022, 7:26 PM
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.Jan 26 2022, 6:47 PM
Krinkle removed a project: Performance-Team (Radar).Aug 18 2023, 8:13 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptAug 18 2023, 8:13 PM
larissagaulia moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Aug 21 2023, 1:19 PM
larissagaulia edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
Tgr mentioned this in T186673: Deprecate and remove CACHE_ANYTHING; cache on by default.Jan 6 2024, 9:02 PM
Physikerwelt added a project: NFDI.Feb 19 2024, 2:32 PM
Krinkle moved this task from General to Confirmed problem on the MediaWiki-libs-BagOStuff board.Mar 26 2024, 7:21 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL