Page MenuHomePhabricator
Create Task
Maniphest T171190

Can't save any page if $wgCookieDomain is too broad
Closed, ResolvedPublic
Actions

Description

[see the last paragraph for the TL;DR summary]

I use Auth_remoteuser for the *.opensuse.org wikis and hit a problem with the cookies used by Auth_remoteuser.

Trying to save any changes on el.opensuse.org or pl.opensuse.org always errored out:

Sorry! We could not process your edit due to a loss of session data. 
You might have been logged out. Please verify that you're still
logged in and try again. [...]"

Editing the other wikis worked.

The reason for the session problem was $wgCookieDomain = 'opensuse.org' instead of $LANG.opensuse.org

el.opensuse.org includes MediaWiki:Common.css from en.opensuse.org and gets the english session cookies this way. Since the CSS is loaded after the HTML and the latest cookie wins, the next request sent the english cookies to the el wiki.

The solution was obviously to restrict $wgCookieDomain to $LANG.opensuse.org.

The better solution would be to somehow include the wiki name (maybe using the database name?) in the cookie name - instead of MediaWiki_Extensions_Auth_remoteuser_AuthRemoteuserSessionProviderUserID it could be something like MediaWiki_Extensions_Auth_remoteuser_AuthRemoteuserSessionProvider_wiki_en_UserID. This would avoid cookie conflicts if $wgCookieDomain covers more than one wiki.

Details

SubjectRepoBranchLines +/-
More distinctive cookie prefixmediawiki/extensions/Auth_remoteuserREL1_30+33 -5
More distinctive cookie prefixmediawiki/extensions/Auth_remoteuserREL1_29+33 -5
More distinctive cookie prefixmediawiki/extensions/Auth_remoteuserREL1_28+33 -5
More distinctive cookie prefixmediawiki/extensions/Auth_remoteuserREL1_27+33 -5
More distinctive cookie prefixmediawiki/extensions/Auth_remoteusermaster+33 -5
Customize query in gerrit

Related Objects

Event Timeline

Cboltz created this task.Jul 20 2017, 4:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 20 2017, 4:25 PM
Enst80 claimed this task.Jan 20 2018, 12:45 PM
Enst80 added a comment.Jan 20 2018, 1:03 PM

Took me a while to get behind the problem. No, not nearly a year ;-) Sorry for beeing that late to this task.

Anyways, thanks to your description a patch is ready. Will upload it for review soon. (You can see it on my github page already, see the branch T171190 there for early alpha access ^^)

Cboltz added a comment.Jan 20 2018, 9:23 PM

Yeah, the problem is not too easy to understand (guess how long it took me to find out what happens...), so no worries ;-)

I had a look at your commit on github, and it looks like it should solve the issue. Actually it covers more cases than I'd have thought of ;-)

Thanks for fixing this interesting[tm] bug!

Enst80 mentioned this in T188193: update namespace.Feb 25 2018, 12:13 PM
gerritbot subscribed.Mar 16 2018, 11:44 PM

Change 420135 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@master] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420135

gerritbot added a project: Patch-For-Review.Mar 16 2018, 11:44 PM
gerritbot added a comment.Mar 19 2018, 10:13 PM

Change 420135 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@master] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420135

Enst80 added a comment.Mar 19 2018, 10:30 PM

Because this is a severe bug, which inhibits the extension usage on bigger MW installations, i'll backport the patch to all affected branches.

gerritbot added a comment.Mar 19 2018, 10:46 PM

Change 420608 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_27] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420608

gerritbot added a comment.Mar 19 2018, 10:48 PM

Change 420609 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_28] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420609

gerritbot added a comment.Mar 19 2018, 10:50 PM

Change 420610 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_29] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420610

gerritbot added a comment.Mar 19 2018, 10:53 PM

Change 420611 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_30] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420611

gerritbot added a comment.Mar 19 2018, 10:56 PM

Change 420608 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@REL1_27] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420608

gerritbot added a comment.Mar 19 2018, 10:57 PM

Change 420609 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@REL1_28] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420609

gerritbot added a comment.Mar 19 2018, 10:57 PM

Change 420610 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@REL1_29] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420610

gerritbot added a comment.Mar 19 2018, 10:57 PM

Change 420611 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@REL1_30] More distinctive cookie prefix

https://gerrit.wikimedia.org/r/420611

Enst80 closed this task as Resolved.Mar 19 2018, 11:02 PM

Task closed before 1 year passed. Celebrate! :-)

MarkAHershberger mentioned this in T257533: Auth_remoteuser makes cookie forwarding not work.Jul 8 2020, 11:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits