Page MenuHomePhabricator

New users losing login session when editing from a globally blocked IP
Open, Needs TriagePublic

Description

Steps to reproduce:

  1. Visit zh.wikipedia.org through a globally blocked IP (usually an open proxy)
  2. Login an account with no autoconfirmed flag
  3. Ask a local admin to grant IPBE to the account
  4. Click the "edit" button on a page

Expected: Edit box and tools appears normally.

Actual: A hint appears on the upper right corner, saying:

Central login
You are centrally logged in as <username>. Reload the page to apply your user settings.

Meanwhile, username on the upper right corner is replaced by Not logged in. Since we are using a globally blocked IP, the block interface also appears. (Screeshot on zhwiki)

Steps to reproduce (continue):

  1. Refresh the page (follow directions given)
  2. Preview the changes (forced to do this because the account is not autoconfirmed)
  3. Publish the changes

Expected: Return to read mode and see the changed things.

Actual: What happened before occurred again. We lose login session once we click the "Save" button and return to edit mode after refreshing the page. The changes we made will never be published (because the IP is blocked, it is impossible to save them without login).


Before reporting this problem here, I tried granting confirmed flag to affected users. They successfully saved their changes after getting confirmed permission. However, some of our abusefilters and other anti-vandalism stuffs rely on confirmed flags so that we are not expected to grant it simply for avoiding this technical problem.

Some affected users also reported successful edits after changing to those IPs which are not globally blocked. Therefore, I guess it is using globally blocked IP and having no confirmed flag that lead to login session losing.

I yet don't know whether there's a chance to meet this issue or it always happen (if you follow the step mentioned above). At least users who were granted confirmed flag saw no problem in saving changes.


Sysops and experienced users on zhwiki received report of this issue from both mobile and desktop version, as well as various browsers and operating systems (If my memory is correct). We also asked the affected users to check their cookie settings and find no problem there. Though I have only seen reports from zhwiki, I believe that this is a general MediaWiki problem.

Event Timeline

Tigerzeng created this task.Feb 8 2020, 9:13 AM
Restricted Application added subscribers: Cosine02, Aklapper. · View Herald TranscriptFeb 8 2020, 9:13 AM
Tigerzeng updated the task description. (Show Details)Feb 8 2020, 10:49 AM
Tigerzeng updated the task description. (Show Details)Feb 11 2020, 4:06 AM
Tigerzeng updated the task description. (Show Details)
Xiplus added a subscriber: Xiplus.Feb 22 2020, 9:04 AM
This comment was removed by Hamishcn.
DWYoungDLS added a subscriber: DWYoungDLS.EditedFeb 24 2020, 4:03 AM

As Tigerzeng requested, I'm posting the test result here.

With Tigerzeng's help, I have tested the situation twice with an unused account. On Feb. 7th, the problem is successfully recreated with only ipblock-exempt permission, when I was entering the sandbox page, the login session dropped and it shows "Central Login" at the right-top corner. After refreshing the page, I got the session back and I started to edit. As the editing box shows up, the login session dropped again, and there's a warning saying that the IP is globally blocked (and it surely will if I do not login). As I refreshed again, the session came back again and the warning went nowhere. After I wrote some random character and clicked the "Preview" button, with the reloading of the page, the session dropped again. Refresh again, and the session came back again. After I clicked "Publish", the session dropped again and the edit is not being saved. Also there is a detail that I've enabled the 2017 edition of source editing tool, it still loaded the 2010 edition for me. The same day, with both ipblock-exempt and confirmed permission, none of those happened, and the 2017 edition loaded normally. When I was testing with a ip which is not globally blocked, none of the problem shows up.

On Feb. 23rd, I did another test, but I could not reproduce any of the problem listed above, with or without confirmed right, enable or disable 2017 edition source editing. The only thing I noticed is that the global block notice has changed to raw English content instead of the fancy Chinese content with a light-red background and a red border. (I did'nt test with any ip with no global-block)

The testing platform is Android 6.0.1, using Chrome 77.0.

Though according to the test, the problem has been fixed for some reason, on Feb. 25th, still, user RavenclawOIer reported they are losing login session for no reason.

Additionally, the users who lost login session reported that their session won't lose if they are using mobile view to edit.

And from my own testing, many minor Wikimedia wikis do not have the problem.

The latest victim of this issue successfully edited through 2017 wikitext editor with no confirmed flag. Detailed information are listed below:

Desktop view
IP blocked globally
Local IPBE
No confirmed flag
2010 wikitext editor
-----------------------
Unable to submit, logged out on previewing and publishing
Desktop view
IP blocked globally
Local IPBE
No confirmed flag
2017 wikitext editor
-----------------------
Able to submit.
Dvorapa added a subscriber: Dvorapa.Apr 4 2020, 9:35 PM

I've tried to reproduce this a couple of times, with User:Martin Urbanec (test). That acount has no special privileges (besides being accountcreator+autopatrolled at cswiki). I haven't managed to reproduce this issue. You can view my screen at https://ctrlv.tv/IWdw. I have cleared cookies from *.wikipedia.org between the attempts, to make system think I'm not logged into zhwiki, and to let SUL log me in.

Hamishcn added a comment.EditedApr 25 2020, 1:17 PM

I've tried to reproduce this a couple of times, with User:Martin Urbanec (test). That acount has no special privileges (besides being accountcreator+autopatrolled at cswiki). I haven't managed to reproduce this issue. You can view my screen at https://ctrlv.tv/IWdw. I have cleared cookies from *.wikipedia.org between the attempts, to make system think I'm not logged into zhwiki, and to let SUL log me in.

Please kindly advise whether you were using an open proxy which is globally blocked.

I've tried to reproduce this a couple of times, with User:Martin Urbanec (test). That acount has no special privileges (besides being accountcreator+autopatrolled at cswiki). I haven't managed to reproduce this issue. You can view my screen at https://ctrlv.tv/IWdw. I have cleared cookies from *.wikipedia.org between the attempts, to make system think I'm not logged into zhwiki, and to let SUL log me in.

Hi, but our 'global-blocked ip' means hard-block (without an IPBE flag, no edits could be done, no matter logged in or not). According to your recording, I believe that your testing IP is being soft-blocked, and this kind of matter could be bypassed by logging in. Besides, we didn't clear the cookies before we do test edits.

You may see my recent test at https://img.vim-cn.com/6b/c001a0662f3e41acb1fb9354739e00b42663d8.mp4 .(this link may expire in some time.)

I've tried to reproduce this a couple of times, with User:Martin Urbanec (test). That acount has no special privileges (besides being accountcreator+autopatrolled at cswiki). I haven't managed to reproduce this issue. You can view my screen at https://ctrlv.tv/IWdw. I have cleared cookies from *.wikipedia.org between the attempts, to make system think I'm not logged into zhwiki, and to let SUL log me in.

Please kindly advise whether you were using an open proxy which is globally blocked.

Yes, an IP which is globally blocked for anonymous contirbutors. You can see the global block notice in the screencast

Hi, but our 'global-blocked ip' means hard-block (without an IPBE flag, no edits could be done, no matter logged in or not). According to your recording, I believe that your testing IP is being soft-blocked, and this kind of matter could be bypassed by logging in. Besides, we didn't clear the cookies before we do test edits.

What I did _should_ be equivalent to logging out and logging in at a different project than zhwiki (otherwise, Central login You are centrally logged in as <username>. Reload the page to apply your user settings does not appear at all).

I've tried to reproduce this a couple of times, with User:Martin Urbanec (test). That acount has no special privileges (besides being accountcreator+autopatrolled at cswiki). I haven't managed to reproduce this issue. You can view my screen at https://ctrlv.tv/IWdw. I have cleared cookies from *.wikipedia.org between the attempts, to make system think I'm not logged into zhwiki, and to let SUL log me in.

Please kindly advise whether you were using an open proxy which is globally blocked.

Yes, an IP which is globally blocked for anonymous contirbutors. You can see the global block notice in the screencast

Hi, but our 'global-blocked ip' means hard-block (without an IPBE flag, no edits could be done, no matter logged in or not). According to your recording, I believe that your testing IP is being soft-blocked, and this kind of matter could be bypassed by logging in. Besides, we didn't clear the cookies before we do test edits.

What I did _should_ be equivalent to logging out and logging in at a different project than zhwiki (otherwise, Central login You are centrally logged in as <username>. Reload the page to apply your user settings does not appear at all).

Sorry I should say this in my last reply, you have successfully reproduced the issue, as when you tried to preview your edit, your login session had lost and this is why you received the notice where your cursor circled around.

@Hamishcn Actually I have not. As you can see in the recording, I've removed the login cookie manually - the description of your issue mentions that you should get logged in by SUL, which I did. If I just log in, click edit and try to preview and save, everything works as expected.

Tigerzeng added a comment.EditedApr 25 2020, 2:35 PM

I've tried to reproduce this a couple of times, with User:Martin Urbanec (test). That acount has no special privileges (besides being accountcreator+autopatrolled at cswiki). I haven't managed to reproduce this issue. You can view my screen at https://ctrlv.tv/IWdw. I have cleared cookies from *.wikipedia.org between the attempts, to make system think I'm not logged into zhwiki, and to let SUL log me in.

Sorry for missing one thing in steps to reproduce. The global IP block should not be anonymous only and the account have to have IPBE in order to edit. I don't know if this is equivalent to your testing environment but they are indeed different.

I've just tried and reproduced the problem, and found something interesting. Under a slow internet connection, if you click the publish button before the page is fully loaded, you will be able to submit your edit. See this video at 0:30 and 0:45 (It will expire in a week. I would appreciate it if you can help reupload it to a better place)

@Hamishcn Actually I have not. As you can see in the recording, I've removed the login cookie manually - the description of your issue mentions that you should get logged in by SUL, which I did. If I just log in, click edit and try to preview and save, everything works as expected.

I'm really sorry for my mistake, I think I might click wrong link and the video in that link showed the problem. And, I've granted IPBE flag to your test account, feel free to test under WP:SB or somewhere else in your userspace, and you may find me on IRC to remove the permission for test if necessary.

I was not able to reproduce the issue either. I tried both the old and the
new wikitext editor. If you want, I can record a second screencast and
send it to you.

Update: still not resolved as told by a friend of mine.

Any additional info from him/her would be much appreciated

Hi, I'm a new wiki user and can reproduce this issue. What can I help to resolve this?

Shizhao moved this task from Backlog to Extensions on the Chinese-Sites board.Jul 6 2020, 1:11 AM

@Urbanecm It might be a bit late to tell, but earlier this year, the local community have noticed that if the users who run into the problem submit their edits before the 2010 version of the wikitext editor load completely, the submission would be succeeded and their sessions would not lose in a few days. That might be a clue about why it happens.

What I mean is that there might be some problems with the scripts (or something) which will be loaded in the very end of the editing page loading procedure, and if the script is not loaded, and the user successfully submitted their edit, the local cookie would stop the problem from occuring for some time.