Page MenuHomePhabricator

Interlacing login and logout requests on different client on same PC affect each other
Closed, DuplicatePublic

Description

Hi, recently I'm working with my MW API client library, and bumped into some problems when trying to run my unit tests concurrently. The situation can be simplified as follows.

Suppose we have two separate HttpClient instances (the point is, they have different cookie containers), A, and B, and the two clients issue the requests to the same API endpoint (i.e. https://test2.wikipedia.org/w/api.php ) in the following order (I use --> to indicate requests, while <-- represents responses):

A --> format=json&action=query&meta=tokens&type=login
A <-- {"batchcomplete":"","query":{"tokens":{"logintoken":"4f84fb11c456c912fcf657bce187d6c45966283e+\\"}}}
A --> format=json&action=login&lgname=XuesongBot&lgpassword=****&lgtoken=4f84fb11c456c912fcf657bce187d6c45966283e%2B%5C
A --> format=json&action=query&meta=userinfo&uiprop=blockinfo%7Cgroups%7Chasmsg%7Crights
A <-- {"batchcomplete":"","query":{"userinfo":{"id":6332,"name":"XuesongBot","groups":["bot","editor","*","user","autoconfirmed"], ...

B --> format=json&action=query&meta=tokens&type=login
B <-- {"batchcomplete":"","query":{"tokens":{"logintoken":"aeb6bf8633ee636a551df2cf31334b0459662842+\\"}}}
B --> format=json&action=login&lgname=XuesongBot&lgpassword=****&lgtoken=aeb6bf8633ee636a551df2cf31334b0459662842%2B%5C
B --> format=json&action=query&meta=userinfo&uiprop=blockinfo%7Cgroups%7Chasmsg%7Crights
B <-- {"batchcomplete":"","query":{"userinfo":{"id":6332,"name":"XuesongBot","groups":["bot","editor","*","user","autoconfirmed"],"....

So far so good. Then come the following requests:

B --> format=json&action=logout
B <-- {}
A --> format=json&action=query&meta=userinfo&uiprop=blockinfo%7Cgroups%7Chasmsg%7Crights
A <-- {"batchcomplete":"","query":{"userinfo":{"id":0,"name":"206.161.*.*","anon":"",...    <- Oops

I logged out with client B but client A is also logged out!

After some investigations, I found out the cookies received by A and B on the response of action=loginhave something in common. For example, they share the same centralauth_Token:

Cookies A
Set-Cookie: test2wikiSession=lkng5lcoc4g63f1nfkgsdrc9kholh5r8; path=/; secure; httponly
Set-Cookie: test2wikiUserID=6332; expires=Thu, 12-Jul-2018 13:46:40 GMT; Max-Age=31536000; path=/; secure; httponly
Set-Cookie: test2wikiUserName=XuesongBot; expires=Thu, 12-Jul-2018 13:46:40 GMT; Max-Age=31536000; path=/; secure; httponly
Set-Cookie: forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
Set-Cookie: forceHTTPS=true; expires=Fri, 11-Aug-2017 13:46:40 GMT; Max-Age=2592000; path=/; domain=.wikipedia.org; httponly
Set-Cookie: centralauth_User=XuesongBot; expires=Thu, 12-Jul-2018 13:46:40 GMT; Max-Age=31536000; path=/; domain=.wikipedia.org; secure; httponly
Set-Cookie: centralauth_Token=4837f813e0628e658a8396c3d7507d00; expires=Thu, 12-Jul-2018 13:46:40 GMT; Max-Age=31536000; path=/; domain=.wikipedia.org; secure; httponly
Set-Cookie: centralauth_Session=da4ced18bab8cf34edaf7c552cf92fe8; path=/; domain=.wikipedia.org; secure; httponly
Cookies B
Set-Cookie: test2wikiSession=tev41bsg7itgi6s4vbu6d8gblnpq5vh6; path=/; secure; httponly
Set-Cookie: test2wikiUserID=6332; expires=Thu, 12-Jul-2018 13:46:44 GMT; Max-Age=31536000; path=/; secure; httponly
Set-Cookie: test2wikiUserName=XuesongBot; expires=Thu, 12-Jul-2018 13:46:44 GMT; Max-Age=31536000; path=/; secure; httponly
Set-Cookie: forceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
Set-Cookie: forceHTTPS=true; expires=Fri, 11-Aug-2017 13:46:44 GMT; Max-Age=2592000; path=/; domain=.wikipedia.org; httponly
Set-Cookie: centralauth_User=XuesongBot; expires=Thu, 12-Jul-2018 13:46:44 GMT; Max-Age=31536000; path=/; domain=.wikipedia.org; secure; httponly
Set-Cookie: centralauth_Token=4837f813e0628e658a8396c3d7507d00; expires=Thu, 12-Jul-2018 13:46:44 GMT; Max-Age=31536000; path=/; domain=.wikipedia.org; secure; httponly
Set-Cookie: centralauth_Session=84b880918c9ec640f848b46e192a393a; path=/; domain=.wikipedia.org; secure; httponly

Now I'm just curious; is this behavior by design or not? Thank you!

Event Timeline

CXuesong created this task.Jul 12 2017, 2:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 12 2017, 2:13 PM
CXuesong added a comment.EditedJul 28 2019, 3:55 PM

I came here because this problem seems to be gone if I use a Bot Password (generated from Special:BotPasswords). That is, I have the following response sequence now, as long as I use a bot password to login

B --> format=json&action=logout
B <-- {}
A --> format=json&action=query&meta=userinfo&uiprop=blockinfo%7Cgroups%7Chasmsg%7Crights
A <-- {"batchcomplete":"","query":{"userinfo":{"id":6332,"name":"XuesongBot","groups":["bot","editor","*","user","autoconfirmed"], ...

which means logging out on the HttpClient B won't logging me out on the HttpClient A. While this is great and can facilitate my unit testing, I'm just wondering why the behavior can be such different. Do you have some explanation that may shed some light on this? Thanks!

Restricted Application added a project: Core Platform Team. · View Herald TranscriptJul 28 2019, 3:55 PM
Restricted Application added a subscriber: Liuxinyu970226. · View Herald Transcript