Page MenuHomePhabricator
Create Task
Maniphest T181960

Fix sessionfailure message for forms where "go back" makes no sense
Closed, ResolvedPublic
Actions

Description

When the CSRF token verification fails, users get the sessionfailure system message (There seems to be a problem with your login session; this action has been cancelled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again.) Typically this happens on a form submit, causes form validation to fail and the form is displayed again, with a new CSRF token (and submitting again will work if the problem was a sessin timeout; otherwise, trying again wouldn't help anyway).

"Go back to the previous page and reload" is useless and confusing advice in most (if not all) cases; the user should just resubmit the form.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Fix sessionfailure i18n message during authenticationmediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Dec 4 2017, 5:38 AM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptDec 4 2017, 5:38 AM
xSavitar subscribed.EditedJan 21 2018, 7:59 PM

I've had this kind of issue sometime back and especially on MW-Vagrant instances. I've not had it on an actual wiki anyway. So resubmitting will work only if it was a session timeout (as you rightly mentioned). So just changing sessionfailure system message can be a little confusing if the above mentioned case is not what is happening. Maybe it could be better to check what the issue is in the codes the return the appropriate error?

Meaning if it's not a session timeout, then the appropriate message should be returned rather than tell the user to resubmit the form when it won't work? What do you think @Tgr?

Tgr added a comment.Jan 21 2018, 10:24 PM

How do you tell if it's a session timeout or not? As far as MediaWiki is concerned, usually it's the same situation: the user submitted a CSRF token but there isn't one in their session. Maybe SessionManager can be changed to say whether the backend session existed at the start of the request; in any case, that's a more complex problem and should probably be a separate task.

gerritbot subscribed.Feb 1 2018, 9:12 AM

Change 407403 had a related patch set uploaded (by D3r1ck01; owner: Alangi Derick):
[mediawiki/core@master] Fixes to sessionfailure message during authentication

https://gerrit.wikimedia.org/r/407403

gerritbot added a project: Patch-For-Review.Feb 1 2018, 9:12 AM
xSavitar claimed this task.Feb 1 2018, 9:13 AM
xSavitar added a project: Africa-Wikimedia-Developers.
xSavitar moved this task from Backlog to Tasks in progress (Doing) on the Africa-Wikimedia-Developers board.
xSavitar triaged this task as Medium priority.Feb 1 2018, 7:05 PM
xSavitar mentioned this in T186249: Detect if session failure message returned on-login is due to a session timeout or another reason.Feb 1 2018, 7:10 PM

@Tgr, I've submitted a patch. Detecting if it's a session timeout or other will be another task that I've filled here: T186249.

gerritbot added a comment.Feb 8 2018, 10:47 PM

Change 407403 merged by jenkins-bot:
[mediawiki/core@master] Fix sessionfailure i18n message during authentication

https://gerrit.wikimedia.org/r/407403

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-02-13 (1.31.0-wmf.21)).Feb 8 2018, 11:00 PM
xSavitar closed this task as Resolved.Feb 9 2018, 4:55 PM
xSavitar moved this task from Tasks in progress (Doing) to Technical Tasks (Completed) on the Africa-Wikimedia-Developers board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits