Page MenuHomePhabricator
Create Task
Maniphest T181869

Error "Session {session}: Metadata has an anonymous user, but a non-anon user was provided"
Open, MediumPublicPRODUCTION ERROR
Actions

Description

type=mediawiki
level=WARNING
channel=session

Session "{session}": Metadata has an anonymous user, but a non-anon user was provided

About 1,200 hits in the last 24 hours:
https://logstash.wikimedia.org/goto/02d3891d4a7de1488e28ef1e0314c598

Seems to be coming from both /w/api.php and /w/index.php.

Details

SubjectRepoBranchLines +/-
session: Improve text and documentation of SessionManager warningsmediawiki/coremaster+23 -13
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krinkle created this task.Dec 2 2017, 1:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 2 2017, 1:33 AM
MarcoAurelio mentioned this in T181876: Specific user cannot log in to meta.wiki.Dec 2 2017, 8:45 AM
Framawiki subscribed.Dec 2 2017, 9:37 AM
MarcoAurelio subscribed.Dec 2 2017, 10:36 AM

Related https://phabricator.wikimedia.org/T181876 ?

Anomie subscribed.Dec 4 2017, 4:08 PM

It's a session security check. If the session itself is for an anonymous user but the cookies (or whatever) are for a logged-in user, that mismatch prevents use of the session. Chances are these are related to case #1 described at T158365#3036725, and the solutions there would apply here too.

In T181869#3805289, @MarcoAurelio wrote:

Related https://phabricator.wikimedia.org/T181876 ?

There's no particular evidence of that. I believe that this log message would result in the user being served a new session cookie, and thus would not be the cause of T181876.

demon moved this task from Untriaged to Dec2019/1.35.wmf.10+ on the Wikimedia-production-error board.Dec 15 2017, 12:21 AM
Krinkle moved this task from Dec2019/1.35.wmf.10+ to Apr 2019 / 1.33.wmf.25+ on the Wikimedia-production-error board.Sep 13 2018, 1:29 AM
Krinkle mentioned this in T204459: Session "{session}": CentralAuth saved source {saved} != expected source {expected}.Sep 16 2018, 10:23 PM
Krinkle moved this task from Apr 2019 / 1.33.wmf.25+ to Older on the Wikimedia-production-error board.Sep 19 2018, 12:57 AM
mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:09 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM
Krinkle added a project: Platform Engineering.Mar 10 2021, 1:50 AM
AMooney triaged this task as Medium priority.Mar 16 2021, 2:22 PM
AMooney edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
AMooney moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.
Tgr added a project: Documentation.Oct 6 2023, 10:37 PM
Tgr subscribed.

This is not necessarily an error, but really needs better documentation.

Tgr mentioned this in T348206: Improve logging, monitoring and test coverage for MediaWiki Platform team authentication extensions.Oct 9 2023, 4:00 AM
Krinkle edited projects, added MediaWiki-Platform-Team; removed Platform Team Workboards (Clinic Duty Team).Feb 22 2024, 4:45 PM
gerritbot added a comment.Feb 25 2024, 11:07 PM

Change 1006177 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] session: Improve text and documentation of SessionManager warnings

https://gerrit.wikimedia.org/r/1006177

gerritbot added a project: Patch-For-Review.Feb 25 2024, 11:07 PM
Tgr claimed this task.Feb 25 2024, 11:07 PM
Tgr moved this task from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.
Tgr removed a project: Wikimedia-production-error.

Not actually a production error, the messages are logged to the session channel.

gerritbot added a comment.Feb 26 2024, 5:58 PM

Change 1006177 merged by jenkins-bot:

[mediawiki/core@master] session: Improve text and documentation of SessionManager warnings

https://gerrit.wikimedia.org/r/1006177

Maintenance_bot removed a project: Patch-For-Review.Feb 26 2024, 6:30 PM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.20; 2024-02-27).Feb 27 2024, 1:00 AM
Tgr added a parent task: T348206: Improve logging, monitoring and test coverage for MediaWiki Platform team authentication extensions.Feb 27 2024, 9:15 AM
Bugreporter moved this task from Backlog to Central session, SSO (autologin) and centralauthtoken on the MediaWiki-extensions-CentralAuth board.Mar 5 2024, 11:45 AM
Tgr removed Tgr as the assignee of this task.Mar 12 2024, 4:56 PM
Tgr moved this task from Current Sprint to Within 2 Qs on the MediaWiki-Platform-Team board.

Improved the inline docs a little. (Note that the message changed, it is now Session "{session}": the session store entry is for an anonymous user, but the session metadata indicates a non-anonynmous user.) I have two hypotheses of what could be happening:

  • When the user logs out, the login cookies do not get unset for some reason, so the user is left with an anonymous session (is this actually true? do we set the backend session to anonymous on logout, rather than deleting it?) but logged-in cookies. I don't think this explains what's going on, given how frequent the logs are, and failing to unset cookies isn't something that should happen often.
  • When the user logs out on CentralAuth, cookies on domains other than the current one are left in place (T143001: Wiki sites should delete all their cookies during logout). I don't think this would result in this message (those domains would have no session or an invalid logged-in session, not an anonymous session) but maybe I misremember the details of how CentralAuth session invalidation on login works.

We should probably figure this out later, but it's more a peculiarity than a problem so not a priority.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL