Page MenuHomePhabricator
Create Task
Maniphest T226736

"Logging you out from other wikis of the Wikimedia Foundation:" and interwiki icons do not appear when clicking on "Log out" on the English Wikipedia
Open, MediumPublic
Actions

Description

When I click on the "Log out" link next to the "Contributions" link at the top right corner of any page (for example, the Main Page) on the English Wikipedia or any other Wikimedia wiki, neither "Logging you out from other wikis of the Wikimedia Foundation:" nor the row of interwiki icons below it appear where they used to be. However, if I visit Special:UserLogout on any Wikimedia wiki and then click on the "Submit" button, the row of interwiki icons does appear, but only while currently logged in. The row of interwiki icons does not appear if I visit the same page on any Wikimedia wiki while being already logged out.

I also previously reported this at the technical village pump. I tried it in IE, Microsoft Edge, Firefox, and Chrome and got the same result for all 4 browsers.

Compare the following 2 images:

  • CroppedPNG.png (233×1 px, 26 KB)
    when clicking on the "Log out" link from Wikipedia's Main Page
  • LogOutWithInterwikiIcons.PNG (285×1 px, 32 KB)
    when clicking on "Submit" after having visited "Special:UserLogout" directly on the English Wikipedia

Related Objects

Event Timeline

GTrang created this task.Jun 27 2019, 4:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 27 2019, 4:50 PM
GTrang updated the task description. (Show Details)Jun 27 2019, 4:57 PM
Aklapper changed the task status from Open to Stalled.Jun 27 2019, 6:06 PM

@GeoffreyT2000: This task lacks any steps to reproduce (URL, browser used, etc).
Again: Please do read and follow https://www.mediawiki.org/wiki/How_to_report_a_bug when creating tasks.

The icons do not appear if I visit Special:UserLogout while being already logged out.

Not on mediawiki.org for me:

Screenshot from 2019-06-27 20-03-09.png (1×1 px, 260 KB)

GTrang renamed this task from Wiki icons do not appear when clicking on "Log out" to Interwiki icons do not appear when clicking on "Log out".Jun 27 2019, 6:09 PM
GTrang renamed this task from Interwiki icons do not appear when clicking on "Log out" to "Logging you out from other wikis of the Wikimedia Foundation:" and interwiki icons do not appear when clicking on "Log out".
GTrang updated the task description. (Show Details)
Krinkle subscribed.Jun 27 2019, 6:12 PM

@GeoffreyT2000 Can you share a visual of when the icons do appear?

GTrang updated the task description. (Show Details)Jun 27 2019, 6:16 PM
GTrang updated the task description. (Show Details)Jun 27 2019, 6:19 PM
GTrang added a comment.EditedJun 27 2019, 6:24 PM

OK, I uploaded another image here. However, something is still not right. Namely, "Logging you out from other wikis of the Wikimedia Foundation:" and the interwiki icons below it are not in the same place as when they did 2 months ago. They are below rather than above "Return to Main Page".

GTrang updated the task description. (Show Details)Jun 27 2019, 6:24 PM
Aklapper added a comment.Jun 27 2019, 6:26 PM

@GeoffreyT2000: Please read my previous comment again. Still no idea which exact website this is about...

GTrang updated the task description. (Show Details)Jun 27 2019, 6:30 PM

OK, I added the exact URL now. It is https://en.wikipedia.org/wiki/Special:UserLogout.

GTrang updated the task description. (Show Details)Jun 27 2019, 6:38 PM
GTrang renamed this task from "Logging you out from other wikis of the Wikimedia Foundation:" and interwiki icons do not appear when clicking on "Log out" to "Logging you out from other wikis of the Wikimedia Foundation:" and interwiki icons do not appear when clicking on "Log out" on the English Wikipedia.Jun 28 2019, 4:50 AM
GTrang added a comment.Jun 28 2019, 4:55 AM

Can this task have its "Stalled" status removed now? I have tried to fix all of the concerns by @Aklapper by making it obvious that this is about the English Wikipedia, not any other wiki.

Aklapper added a comment.EditedJun 28 2019, 8:45 AM

What makes you think that this useless row of icons did not intentionally get removed? Does the HTML page source code show any signs that something is missing? Please provide such info.

I do not see any bug in this task (so far) but an improvement.

GTrang updated the task description. (Show Details)Jun 28 2019, 7:59 PM
Aklapper added a comment.Jun 28 2019, 8:07 PM

Ah, thanks for the addition to the task description! That helps to see that there might be an inconsistency indeed.

Aklapper changed the task status from Stalled to Open.Jul 6 2019, 6:14 PM

Hmm, https://en.wikipedia.org/wiki/MediaWiki:Centralauth-logout-progress still exists. Indeed the centralauth-logout-box is not shown for the steps you provided. Code is at https://phabricator.wikimedia.org/diffusion/ECAU/browse/master/includes/CentralAuthHooks.php$630 without recent changes.

Maybe $wikis/wgCentralAuthLoginWiki is not set/passed when going to Special:UserLogout directly?

Krinkle added a comment.EditedJul 9 2019, 8:15 PM
Task description by @GeoffreyT2000

Compare the following 2 images:

  1. CroppedPNG.png (233×1 px, 26 KB)
    when clicking on the "Log out" link from Wikipedia's Main Page
  2. LogOutWithInterwikiIcons.PNG (285×1 px, 32 KB)
    when clicking on "Submit" after having visited "Special:UserLogout" directly on the English Wikipedia

In the first scenario, the "Log out" link will log you out using a JavaScript background request ("ajax"), with a notification displaying on the top-right to indicate that you are being logged out. Once this is finished, you are redirected to "Special:UserLogout", which serves as a confirmation of this action having completed. In this scenario, when your browser visits "Special:UserLogout" you have already been logged-out, and thus would be the same as visiting that link as an anonymous user who was never logged-in in the first place.

In the second scenario, you are using "Special:UserLogout" to perform the log-out action itself. This is similar to how it was before 2 months ago, and how it is today if you use that link in a new tab, or if JS is disabled/slow. In this scenario, when your browser opens "Special:UserLogout" the log out action itself is happening right then and there as part of the form submission.

In the second scenario, the images are needed in order to also log you out on other wikis. The images effectively obscured browser windows that submit "Special:UserLogout" on other wikis as well, represented by a tiny image.

In the first scenario, these images are not there because you are already successfully logged-out everywhere.

While the difference may be confusing, it is currently working as intended and accurately informing the user what is happening.

  • In the first scenario, the "We are logging you out" is displayed in a notification bubble before redirecting to the "Special:UserLogout" page.
  • In the second scenario, this message and the images are displayed at the bottom of the "Special:UserLogout" page.

What's left at this task is deciding whether we want to make these visually consistent. For example, by always making the images invisible (transparent GIF instead of actual image), and by making the text phrasing the same between the notification bubble and the fallback page.

Krinkle triaged this task as Medium priority.Jul 9 2019, 8:15 PM
Tgr subscribed.Oct 6 2023, 11:12 PM

Why did we show those icons (presumably they point to Special:CentralAutoLogin/deleteCookies) in the first place? Logout happens by invalidating the central session. Was it for some weird edge case (like a CentralAuth installation with edge login but no central login wiki), or just to clean up the cookies?

Krinkle added a comment.Oct 6 2023, 11:33 PM

@Tgr I believe the reason is to clear cookies indeed. That way a shared computer won't leave your identity in the cookiebin, given we store usernames in the cookie in plain text.

Perhaps the Clear-Site-Data header can be used for that instead. That would not be subject to third-party cookie and cross-origin restrictions, and has the benefit of also clearing HTTP caches which would also still contain many references to their login session (at the very least, user names on every page).

Tgr closed this task as Declined.Oct 7 2023, 2:42 AM

We don't clear the username cookie on logout, though (it's used to prefill the login form). And we don't set the LoggedOut cookie (sometimes used to bypass cache) in deleteCookies. So I think it is pretty pointless.

Arguably there isn't much point in keeping the username cookie these days, because browsers' password managers are doing a better job of guessing whether the field should be prefilled or not. But even then, clearing cookies is not very useful because we can only do it for the edge login wiki set, but the authn cookies will be present on each individual domain the user has visited. If we wanted to improve privacy, we should probably encrypt cookies somehow.

Maybe pre-AuthManager there was some value in not having parent-domain cookies linger around, I don't remember how that worked. But these days they get cleaned automatically when they are invalid, and we don't really have unattached users anyway. So I don't think it matters much whether we clear the cookies.

Clear-Site-Data does clear subdomains so that would be a meaningful privacy improvement, at the cost of maybe clearing cookies that shouldn't be cleared (logged-out preferences, unique device counters etc). Maybe worth a task of its own. I'll close this one though as I don't think we really care about whether the icons show or not.

Tgr added a comment.Oct 7 2023, 2:44 AM
In T226736#9232644, @Tgr wrote:

Clear-Site-Data ... Maybe worth a task of its own.

I see you already made one: T179752: Clear site data on MediaWiki log out

Krinkle mentioned this in T179752: Clear site data on MediaWiki log out.Oct 7 2023, 2:55 AM
Tgr reopened this task as Open.EditedOct 9 2023, 3:07 AM

On second thought, deleteCookies logs you out on other sites regardless of whether you are logged in with the same account, and that's actually useful in some fringe cases where you end up being logged into different accounts on different domains. IP masking mid-rollout might cause that since temp user central sessions will be valid on pilot wikis and invalid on non-pilot ones (which under ideal circumstances still should not cause a split-brain situation, but with some requests failing / some cookies blocked by browsers it seems hard to reliably avoid). So at least until IP masking is fully rolled out, we do care whether the logout icons work reliably.

(ref: T342475: Define temporary account behavior on Wikimedia wikis which have IP masking disabled)

JayCano added a project: Temporary accounts.Sep 12 2024, 1:20 PM
kostajh moved this task from Inbox to Triaged on the Temporary accounts board.Sep 13 2024, 10:21 AM
kostajh subscribed.
In T226736#9234256, @Tgr wrote:

On second thought, deleteCookies logs you out on other sites regardless of whether you are logged in with the same account, and that's actually useful in some fringe cases where you end up being logged into different accounts on different domains. IP masking mid-rollout might cause that since temp user central sessions will be valid on pilot wikis and invalid on non-pilot ones (which under ideal circumstances still should not cause a split-brain situation, but with some requests failing / some cookies blocked by browsers it seems hard to reliably avoid). So at least until IP masking is fully rolled out, we do care whether the logout icons work reliably.

(ref: T342475: Define temporary account behavior on Wikimedia wikis which have IP masking disabled)

@Tgr does your team plan to do work around this task?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits