Page MenuHomePhabricator

GoogleLogin not triggering "Keep me logged in" automatically
Open, Needs TriagePublic

Description

When disabling all authentication method other than one link provider (e.g. by installing the GoogleLogin extension and setting $wgAuthManagerAutoConfig['primaryauth'] = []; in LocalSettings.php), the login form is skipped when the user clicks on login for the users convenience. However, this also prevents the user to check the "keep me logged in" checkbox, so that his session keeps set for a longer time. This is not very nice, as the user may want to be kept logged in on the current system.

Possible solutions would be:

  • Remove the feature to automatically redirect to the link provider, this however, would introduce a one more click and pageview, which is not really needed unfortunately :/
  • Always keep the user logged in then only a link provider is used, this however might be a security issue, especially if the user is logging in in an unsafe environment
  • Probably provide a way of extending the session after the successful login, however, I've no idea how this could look like

Original task description:

https://www.mediawiki.org/wiki/Extension:GoogleLogin#$wgGLShowKeepLogin states "the Keep me logged in checkbox now applies to all authentication methods, including GoogleLogin"

We are using Google Login with $wgAuthManagerAutoConfig['primaryauth'] = []; set, so that we can just have Google Login, but because of this we don't get the Login form that allows us to check "Keep me logged in". As such, we don't get the mediawikiToken cookie, and we get logged out when we close the browser.

Even if I enable the login form, unless we click "Keep me logged in" before clicking Login with Google, we don't get the mediawikiToken cookie, just the session cookies. So the statement in the docs is wrong about Keep me logged in applying to all authentication methods is wrong.

Is something needing to be fixed in the GoogleLogin code so it's automatically applied, or has something in Mediawiki changed preventing this from working. Ideally, regardless of the login form being shown or not, it would be good for all Google Logins to have the mediawikiToken cookie being created.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 19 2018, 1:54 AM

Which exact MediaWiki and extension versions and branches are used?

Mediawiki 1.31.0
GoogleLogin branch REL1_31 (Commit 3381e8dce38097468b3411c50761830f34e3c317)

The documentation is correct from my point of view. If you check the keep me logged in checkbox, you will be kept login even if you use GoogleLogin to login. However, if you remove all authentication methods (which bypasses the Login form completely for convenience of the users) you can't check this checkbox.

Ideally, regardless of the login form being shown or not, it would be good for all Google Logins to have the mediawikiToken cookie being created.

This is probably not a good idea. The keep me login function is a kind of feature that should be used in a trusted environment only, hence the user should decide themself if it is safe to be kept login on the current machine or not.

However, I agree, that it would be cool to be able to be kept login when no other authentication provider is available and the login page is skipped. However, this is nothing the GoogleLogin extension should do in my opinion :/ I would rephrase the task and add some other tags, so that this can be discussed on the right board, if and how this could be implemented :)

Is there a way to configure the auth manager so that a login page with the "Keep me logged in" checkbox is displayed, when using GoogleLogin in authoritative mode? I can't find any documentation on this. Right now users (on a private wiki) are getting intermittently logged out which is particurlarly annoying when it happens when posting a change to an article.

Just out of curiosity: The default setting for cookies when logging in of MediaWiki should be 30 days. Is it possible that you configured https://www.mediawiki.org/wiki/Manual:$wgCookieExpiration to a way lower amount of time? This would probably the right way to change the default time until a user is logged out.

As of now, I don't know any configuration you can do in order to show the login page, when you only have one AuthenticationProvider, as skipping the login page then is an intended behaviour.

Nguyenkhoidoanh99 changed the task status from Open to Stalled.Jun 19 2020, 9:37 PM
Nguyenkhoidoanh99 assigned this task to GoogleCode-IN.
Nguyenkhoidoanh99 triaged this task as Unbreak Now! priority.
Nguyenkhoidoanh99 updated the task description. (Show Details)
Nguyenkhoidoanh99 set the point value for this task to 10.
Restricted Application added a subscriber: Liuxinyu970226. · View Herald TranscriptJun 19 2020, 9:37 PM
JJMC89 removed GoogleCode-IN as the assignee of this task.Jun 19 2020, 9:41 PM
JJMC89 lowered the priority of this task from Unbreak Now! to Needs Triage.
JJMC89 removed a project: MobileFrontend-alpha.
JJMC89 updated the task description. (Show Details)
JJMC89 removed the point value for this task.
JJMC89 edited subscribers, added: GoogleCode-IN; removed: Liuxinyu970226.
JJMC89 removed a subscriber: GoogleCode-IN.
JJMC89 changed the task status from Stalled to Open.Jun 19 2020, 9:45 PM