Page MenuHomePhabricator
Create Task
Maniphest T213763

Session failure warning message ('sessionfailure') still gives bad advice
Open, Needs TriagePublic
Actions

Description

Happy 10 year old reunion, T19029.

As recently discussed on enwiki (https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&oldid=878410866#Cannot_log_on_through_TOR) the cryptic-to-end-users response in MediaWiki:Sessionfailure doesn't necessarily give useful advice. In recent testing it appears this message is generated for issues with authentication cookies, wherein "resubmitting the form" will never solve the problem. Suggest this is improved to at least mention that it can be generated due to cookie issues.

Details

SubjectRepoBranchLines +/-
Fix nocookie warning on Special:Userloginmediawiki/coremaster+5 -3
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
InvalidNoneT40638 [DO NOT USE] Interface messages needing rewording or documentation and other issues with existing messages [superseded by #Voice_&_Tone]
OpenNoneT213763 Session failure warning message ('sessionfailure') still gives bad advice
· · ·

Event Timeline

Xaosflux created this task.Jan 14 2019, 9:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2019, 9:59 PM
Aklapper added a parent task: T40638: [DO NOT USE] Interface messages needing rewording or documentation and other issues with existing messages [superseded by #Voice_&_Tone].Jan 15 2019, 3:07 AM
Xaosflux edited projects, added MediaWiki-User-Interface; removed MediaWiki-General.Jan 15 2019, 4:27 AM
Bawolff subscribed.EditedJan 15 2019, 4:25 PM

So looking at the code (I assume we are talking about login here):

protected static $messages = [ 
        'authform-newtoken' => 'nocookiesforlogin',
        'authform-notoken' => 'sessionfailure',
        'authform-wrongtoken' => 'sessionfailure',
];

In principle, you should only get the session failure error if your token doesn't match your cookie, or if the request was missing some fields. In the event you have cookies disabled you should get a different error message. (I have not tested this myself - perhaps this code is broken and giving the wrong error message)

Are we sure the user is reporting his situation correctly? He is also seems to be claiming that it used to work with cookies being blocked (Which is obviously not the case, since its impossible for any sort of login feature to work without cookies to maintain state). Although he implied that he was perhaps only blocking some cookies. I don't know for sure - but it seems reasonable that if only some login cookies are blocked, that mediawiki would throw up its hands in confusion and say that there is an unknown failure in the session management system

Bawolff added a comment.Jan 15 2019, 4:29 PM

That said, probably couldn't hurt to mention cookies as a possibility in that error message.

suffusion_of_yellow subscribed.Jan 15 2019, 11:46 PM
In T213763#4881554, @Bawolff wrote:

In principle, you should only get the session failure error if your token doesn't match your cookie, or if the request was missing some fields. In the event you have cookies disabled you should get a different error message. (I have not tested this myself - perhaps this code is broken and giving the wrong error message)

That doesn't seem to be the case. I can't even figure out how to get the nocookiesforlogin message to display. Any attempt to log in (Firefox 64, Linux, any username or password) with all cookies blocked just gives me the same sessionfailure message as when I leave cookies enabled, but delete or mangle the token.

Ammarpad subscribed.Jan 16 2019, 8:49 AM
gerritbot subscribed.Jan 30 2019, 7:01 PM

Change 487159 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Fix nocookie warning on Special:Userlogin

https://gerrit.wikimedia.org/r/487159

gerritbot added a project: Patch-For-Review.Jan 30 2019, 7:01 PM
Bawolff added a comment.Jan 30 2019, 7:03 PM

So i figured out the cause.

The no cookie detection code is fragile and only works the first time ->getToken() is called. This is icky and other code had side effects that prevented it from working.

I gave a fix above, but that's kind of hacky. At the very least it should have tests. But it looks complex to add tests for this behaviour, and I don't really have the time at the moment to fix this properly, so I'm not sure that patch will be accepted. So Umm, if anyone wants to fix this properly that'd be great (sorry for the cop-out).

Jdlrobson added a project: MediaWiki-User-login-and-signup.Jan 13 2021, 2:21 AM
Aklapper added a project: Voice & Tone.May 24 2021, 9:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL