edit-module does't work with centralauth-cookie
Open, NormalPublic

Description

The query module (e.g. userinfo) ist working regardless i use centralauth_User/Token/Session or dewikiUsername/Token/Session as cookie. Changing a page content using the api-edit-module only works with the local cookie. Sending only the three centralauth-Cookies on an edit request returns a "badtoken"-error.

Because the local cookie names and values change on each wiki it would be nice to not relogin on every wiki.


Version: 1.15.x
Severity: enhancement

Details

Reference
bz17335
bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz17335.
bzimport added a subscriber: Unknown Object (MLST).
Merl created this task.Feb 3 2009, 4:24 AM

(In reply to comment #0)

The query module (e.g. userinfo) ist working regardless i use
centralauth_User/Token/Session or dewikiUsername/Token/Session as cookie.
Changing a page content using the api-edit-module only works with the local
cookie. Sending only the three centralauth-Cookies on an edit request returns a
"badtoken"-error.

Because the local cookie names and values change on each wiki it would be nice
to not relogin on every wiki.

This is gonna be non-trivial to reproduce for me, so can you make sure that you used the same cookies for the token request and the edit request? The token depends on your cookie, so you can't get a token with a deWiki cookie and use it with a centralauth cookie (that's more or less the point of tokens).

Please try using one set of tokens (only the deWiki ones or only the centralauth ones) for both the token retrieval and the edit request, and see if the issue persists.

Merl added a comment.Feb 3 2009, 12:14 PM

My code

a)in local-cookie-mode reads the cookie data from the returned xml-data from login module:

user="/api/login/@lguserid"; token="/api/login/@lgtoken"; session="/api/login/@sessionid";

Then on every following request i do (this testcase is for dewiki, because i don't read the cookieprefix):
addHeader("Cookie" ,"dewikiUsername="+user+"; dewikiToken="+token+"; dewiki_session="+session);

b)in global-cookie-mode reads the cookie data from the SetCookie-Header return from login module:

Header h = getHeader("Set-Cookie");
user=h.getParameter("centraulauth_User"); token=h.getParameter("centraulauth_Token"); session=h.getParameter("centraulauth_Session");

Then on every following request i do:
addHeader("Cookie" ,"centralauth_User="+user+"; centralauth_Session="+session+"; centralauth_Token="+session);

Only these three cookies mentioned before are send on every request (no dewiki_session in global mode although it is returned as Set-Cookie-Header)
Both versions are working correct e.g. when requesting userinfo.

No other Code has been changed between these two testcases. The edittoken is requested with "action=query&prop=info&intoken=edit&titles=Pagename" and is working with the edit request on mode a). But in mode b) a badtoken error is returned. All data (login, edittoken, edit) is send via a http-post request.

(In reply to comment #2)

No other Code has been changed between these two testcases. The edittoken is
requested with "action=query&prop=info&intoken=edit&titles=Pagename" and is
working with the edit request on mode a). But in mode b) a badtoken error is
returned. All data (login, edittoken, edit) is send via a http-post request.

Can you check whether your edit token just happens to be +\ (without any hash in front of it)?

Merl added a comment.Feb 3 2009, 3:24 PM

using only "+\" as token returns a bad token error.
Sending no cookie and using "+\" returns success.
The token is exactly the same on both modes.

mike.lifeguard+bugs wrote:

(In reply to comment #4)

Sending no cookie and using "+\" returns success.

This must result in a logged-out edit, since "+\" is the token for anonymous users.

hoo added a comment.Jun 24 2011, 11:57 PM

I have written a Python script to access the API as well and had the same problems. It can be resolved with accepting the locally set cookies on all requests (can be done using a single http request function and a cookie store var per wiki), which in my opinion is mandatory, cause there is a reason why those exist.

Bryan.TongMinh wrote:

Well, no. The whole point of CA is that you only need to login once.

Anomie set Security to None.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2016, 3:26 PM