Page MenuHomePhabricator

Calling session_start() with Auth_remoteuser extension causes AuthManager tokens not to match
Closed, ResolvedPublic

Description

Steps to reproduce:

  • Install MediaWiki 1.30 and the extension Auth_remoteuser 2.0.1
  • add the following code to LocalSettings.php:
wfLoadExtension( 'Auth_remoteuser' );
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;

require_once("../includes/class.user.php");    //this class if from the other Project where the PHP Session is initiated
if(!isUserLoggedIn){
header("Location: http://localhost/login.php"); //the login page from the other project
die(); // stop MediaWiki from starting
}else{
$wgAuthRemoteuserUserName = ucfirst( strtolower( $loggedInUser->username ) );
}

Actual results:

  • the user doesn't appear to be logged in although Auth_remoteuser is generating the cookies.
  • logging in to the wiki using the login special page gives the error

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again.

  • setting a debug log generates this
IP: ::1
Start request GET /newkp/w/index.php/Hauptseite
HTTP HEADERS:
HOST: localhost
COOKIE: KreuzWM51a2e67cRemoteToken=ddd; KreuzWM51a2e67cToken=b997d75bd9294460ce3e074cc641ac78; KreuzWM51a2e67cUserID=4; KreuzWM51a2e67cUserName=Ddd; KreuzWM51a2e67c_session=3jv982trkmeuohq466egesae7ohp7gp4; kreuz_session=fvs63fh6dmg4t09qiltkf0l19p598v3g
CONNECTION: keep-alive
UPGRADE-INSECURE-REQUESTS: 1
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15
REFERER: http://localhost/newkp/w/index.php?title=Spezial:Anmelden&returnto=Hauptseite
ACCEPT-LANGUAGE: en-us
ACCEPT-ENCODING: gzip, deflate
[caches] cluster: APCUBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCUBagOStuff, session: APCUBagOStuff
[caches] LocalisationCache: using store LCStoreDB
[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {
    "IPAddress": "::1",
    "UserAgent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15",
    "ChronologyProtection": false
}
[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.
[DBConnection] Connected to database 0 at 'localhost'.
[session] SessionBackend "1hif5jbttrk8ti9kvluhc0patcafpal5" is unsaved, marking dirty in constructor
[session] SessionBackend "1hif5jbttrk8ti9kvluhc0patcafpal5" save: dataDirty=1 metaDirty=1 forcePersist=0
[cookie] already deleted setcookie: "KreuzWM_session", "", "1491669170", "/", "", "", "1"
[cookie] already deleted setcookie: "KreuzWMUserID", "", "1491669170", "/", "", "", "1"
[cookie] already deleted setcookie: "KreuzWMToken", "", "1491669170", "/", "", "", "1"
[cookie] already deleted setcookie: "forceHTTPS", "", "1491669170", "/", "", "", "1"
Title::getRestrictionTypes: applicable restrictions to [[Hauptseite]] are {edit,move}
[ContentHandler] Created handler for wikitext: WikitextContentHandler
OutputPage::checkLastModified: client did not send If-Modified-Since header
[MessageCache] MessageCache::load: Loading de... local cache is empty, got from global cache
Unstubbing $wgParser on call of $wgParser::firstCallInit from MessageCache->transform
Parser: using preprocessor: Preprocessor_DOM
Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct
[caches] parser: APCUBagOStuff
Article::view using parser cache: yes
Parser cache options found.
ParserOutput cache found.
Article::view: showing parser cache contents
MediaWiki::preOutputCommit: primary transaction round committed
MediaWiki::preOutputCommit: pre-send deferred updates completed
MediaWiki::preOutputCommit: LBFactory shutdown completed
[MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache
Title::getRestrictionTypes: applicable restrictions to [[Hauptseite]] are {edit,move}
OutputPage::sendCacheControl: private caching; Sun, 08 Apr 2018 16:30:57 GMT **
[DBConnection] Connected to database 0 at 'localhost'.
Request ended normally
[session] Saving all sessions on shutdown
[DBConnection] Closing connection to database 'localhost'.
[DBConnection] Closing connection to database 'localhost'.

as you can see the necessary cookies are generated from Auth_remoteuser but the session id is not matching and marked dirty
kreuz_session is the PHPSESSID from the other project.

Expected results:

  • the user should appear logged in
  • not calling session_start() and adding this to LocalSettings.php works perfectly
$wgAuthRemoteuserUserName = 'ddd';

Details

Related Gerrit Patches:
mediawiki/extensions/Auth_remoteuser : REL1_28Trust generated session id on new request
mediawiki/extensions/Auth_remoteuser : REL1_27Trust generated session id on new request
mediawiki/extensions/Auth_remoteuser : REL1_29Trust generated session id on new request
mediawiki/extensions/Auth_remoteuser : REL1_30Trust generated session id on new request
mediawiki/extensions/Auth_remoteuser : REL1_31Trust generated session id on new request
mediawiki/extensions/Auth_remoteuser : masterTrust generated session id on new request

Related Objects

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2018, 5:17 PM

Change 445775 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@master] Trust generated session id on new request

https://gerrit.wikimedia.org/r/445775

Enst80 claimed this task.Jul 14 2018, 1:29 PM
Enst80 added a subscriber: Enst80.

Please can you test, if this patch solves your problem? I think it is related to the other bug report T198928 (like @Revansx mentioned already).

Revansx added a comment.EditedJul 16 2018, 1:41 PM

The patch definitely seems to help with the hugely problematic First Save issue, however, after exercising the system some today, I did experience a few:

  1. loss of session errors upon a random save as well as
  2. some odd attempts to visit a wiki article named API that I was not expecting to see (using Extension:Wiretap)

I need to test more and gather my facts. Please stay open to the idea that there is still an issue with Auth_RU.

For my observable issues I think the problem is solved. Thank you.

I have to say.. I can't believe that the solution to all my system usability issues, the reason my roll-out was delayed for months, could have been handled a year ago by commenting out 1 line. I am gratefully in awe.

Change 446728 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_27] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446728

Change 446729 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_28] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446729

Change 446730 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_29] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446730

Change 446731 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_30] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446731

Change 446732 had a related patch set uploaded (by Enst80; owner: Enst80):
[mediawiki/extensions/Auth_remoteuser@REL1_31] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446732

Change 445775 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@master] Trust generated session id on new request

https://gerrit.wikimedia.org/r/445775

Change 446732 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@REL1_31] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446732

Change 446731 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@REL1_30] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446731

Change 446730 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@REL1_29] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446730

Change 446728 merged by jenkins-bot:
[mediawiki/extensions/Auth_remoteuser@REL1_27] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446728

Change 446729 merged by Enst80:
[mediawiki/extensions/Auth_remoteuser@REL1_28] Trust generated session id on new request

https://gerrit.wikimedia.org/r/446729

Enst80 closed this task as Resolved.Jul 20 2018, 6:23 PM

@Salehtahini
If the problem still persists, you can reopen this task. I'll mark it as resolved for now.

Reedy renamed this task from Calling session_start() with Auth_remoteuser extension causes AuthManager tokens not to match to Calling session_start() with Auth_remoteuser extension causes AuthManager tokens not to match.Jul 20 2018, 6:25 PM