Page MenuHomePhabricator
Create Task
Maniphest T156882

Session lost after upgrade to MW 1.28
Closed, DuplicatePublic
Actions

Description

We are using cookie share with following settings:
$wgSharedDB = 'wikidata';
$wgCookieDomain = '.moegirl.org';
$wgCookiePrefix = "moegirlSSO";

There used to be some users complain that session lost if they stay in editing interface for hours, but they CAN successfully submit editing, when they saw "lost session data" and click save again.

However, after upgrade to MW1.28, no one can submit editing anymore. We realized that the session ID will change every time user visit a new page/ refresh page/ and submitting edits.
There were no problem for single test wiki in our test, but it break immediately in production environment.

this bug can be reproduced if you login here https://zh.moegirl.org/index.php?title=Special:%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95&uselang=en
with User:
sessionlosttester
Password:
123456

Press F12 and then you can see the session id change every time you refresh webpage.
gnmcth8asn849mfb0flkqjcorf57q8n9
khg9lhtpfcg0djfkdo9ojctc0bdvq021
............

Related Objects
Search...

Event Timeline

Zoglun created this task.Feb 1 2017, 3:07 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 1 2017, 3:07 AM
Zoglun triaged this task as High priority.Feb 1 2017, 3:08 AM
Zoglun updated the task description. (Show Details)
TTO added a subscriber: TTO.Feb 1 2017, 3:28 AM

Possibly T147161? Maybe you want to set https://www.mediawiki.org/wiki/Manual:$wgSessionCacheType.

TTO added a project: MediaWiki-Authentication-and-authorization.Feb 1 2017, 3:29 AM
Zoglun added a comment.Feb 1 2017, 3:33 AM

Looks more like T149573 , where several servers keep changing session because each of them have a individual session set by wfMemcKey.

For a temporary fix in production environment, I got the $wgCookieDomain = '.moegirl.org'; changed to $wgCookieDomain = 'zh.moegirl.org'; so that users can edit articles.

Will test the fix later....

Zoglun added a comment.Feb 1 2017, 3:40 AM

We tried $wgSessionCacheType to CACHE_ACCEL & CACHE_DB & redis, none of them solve problem.

Set $wgCookieDomain = 'zh.moegirl.org'; become useless after 10 mins.....

Zoglun added a comment.Feb 1 2017, 4:46 AM

There were 17369 sessions in uAPC (or DB or redis) within 10 mins. None of them get deleted. It just keep generating new session each page.

TTO added subscribers: Anomie, Tgr.Feb 2 2017, 1:00 AM
Liuxinyu970226 added a project: Chinese-Sites.Feb 2 2017, 5:05 AM
Liuxinyu970226 moved this task from Backlog to Non-WMF Chinese sites on the Chinese-Sites board.
Aklapper added a subscriber: Liuxinyu970226.Feb 2 2017, 9:38 AM

Liuxinyu970226 added a project: Chinese-Sites.

@Liuxinyu970226: Care to elaborate?

Liuxinyu970226 added a comment.Feb 2 2017, 12:06 PM
In T156882#2992550, @Aklapper wrote:

Liuxinyu970226 added a project: Chinese-Sites.

@Liuxinyu970226: Care to elaborate?

Just like T152014, T103470, and T74268

Tgr added a comment.Feb 2 2017, 6:44 PM
In T156882#2988763, @Zoglun wrote:

Looks more like T149573 , where several servers keep changing session because each of them have a individual session set by wfMemcKey.

Yeah, you probably need to write a patch for that, write a BagOStuff subclass that uses global keys even when not asked to do it (cf makeKey and makeGlobalKey) and set that class for $wgSessionCacheType.

Zoglun closed this task as Resolved.EditedFeb 4 2017, 5:01 AM
Zoglun claimed this task.

Problem confirmed and solved (at least for us).

It is T149573, where the avatar that we used cite photo from another wiki under .moegirl.org domain. Therefore everyone who set their avatar will get a different session from the shared wiki. For a temporary fix, we "unset req.http.Cookie;" in varnish so that they will not mess up each other.

I will try the BagOStuff subclass method, and hope AuthManager could get stable soon. I do saw many complain about it since 1.27 around support desk in mediawiki.org, mailing list, and in phabricator.

Zoglun added a parent task: T138168: AuthManager tokens don't match so HTML forms like login fail.Feb 4 2017, 5:01 AM
Liuxinyu970226 removed a subscriber: Liuxinyu970226.Feb 4 2017, 5:15 AM
Tgr added a comment.Feb 4 2017, 7:41 AM

AuthManager is stable, although maybe not user-friendly. All problems I have seen for the last half year or so stem from some kind of misconfiguration.

Zoglun mentioned this in T156990: All user name become 127.0.0.1 in notification mail after upgrade MW to 1.28.Feb 4 2017, 7:05 PM
Liuxinyu970226 moved this task from Non-WMF Chinese sites to Closed on the Chinese-Sites board.Feb 18 2017, 3:24 AM
Platonides closed this task as a duplicate of T149573: Add a configuration variable that allows Session Backend and Session manager share sessions across multiple wikis..Aug 27 2017, 10:55 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL