Page MenuHomePhabricator

Setting the EditPage::POST_EDIT_COOKIE_KEY_PREFIX cookie on every edit causes the Cookie header to be truncated for bots and browsers.
Open, Needs TriagePublic

Description

Upgraded from MW 1.29 to MW 1.31.

AutoWikiBrowser, PyWikiBot, and mwclient are all affected by this. This also affects browsers, but requires rapid fire editing.

The EditPage::POST_EDIT_COOKIE_KEY_PREFIX cookie is being set on every edit causing the cookie header to infinity grow. This affects bots the most since the bots do not follow the redirect to the view page to get the cookie cleared. This results in the cookie header being truncated which causes the bot to get logged out. One of our editors is also able to reproduce this behavior in Firefox and Chrome due to them making rapid edits along with not always loading the view page afterwards.

The only reason this cookie appears to have been added was to selectively add the mediawiki.action.view.postEdit resource module to the page. Previously in MW 1.29 it was being added to every article view.

This happens in both the web and API entry points.

Reference: See EditPage::setPostEditCookie() where it creates the cookie key: $postEditKey = self::POST_EDIT_COOKIE_KEY_PREFIX . $revisionId;

Event Timeline

Alexia created this task.Dec 5 2018, 7:51 PM
Restricted Application added subscribers: Danmichaelo, Aklapper. · View Herald TranscriptDec 5 2018, 7:51 PM

Setting the same cookie many times it should only be stored (and sent to the server) once. If the clients are using a naive approach where they append several values for the same cookie name, it is a client bug.

Alexia added a comment.Dec 5 2018, 7:57 PM

This is MediaWiki making many cookies. See EditPage::setPostEditCookie() where it creates the cookie key: $postEditKey = self::POST_EDIT_COOKIE_KEY_PREFIX . $revisionId;

Alexia updated the task description. (Show Details)Dec 5 2018, 8:12 PM

Change 477858 had a related patch set uploaded (by Alexia; owner: Alexia):
[mediawiki/core@master] Do not set the post edit cookie for API made edits.

https://gerrit.wikimedia.org/r/477858