Page MenuHomePhabricator
Create Task
Maniphest T246943

Login failed/disappeared during 2FA
Open, MediumPublic
Actions

Description

Steps for the issue:

  • I opened a www.mediawiki.org page and found I was logged out.
  • I went to the login page and logged-in succesfully.
  • I was shown the 2FA step, where I entered the necessary numbers and submitted the form.

Actual outcome:

Error: No active login attempt is in progress for your session.

I've never seen this issue in the past several years of using 2FA, so I suspect it might be a regression?

Related Objects

Event Timeline

Krinkle created this task.Mar 4 2020, 8:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 4 2020, 8:50 PM
Krinkle added a comment.Mar 4 2020, 9:02 PM

From Logstash around the time I logged in (today around 18:00 UTC):

Xl-s2wpAMNIAAftEcsgAAABP (2020-03-04T18:01:03, POST /w/index.php?title=Special:UserLogin):

  • [CentralAuth INFO] authentication for 'Krinkle' succeeded
  • [CentralAuth INFO] Already fully migrated user 'Krinkle'

Xl-s7gpAICwAAFl9AjsAAAAM (2020-03-04T18:01:18, POST /w/index.php?title=Special:UserLogin)

  • [authentication INFO] OATHAuth user Krinkle entered a valid OTP from …
  • [authentication INFO] Login for Krinkle succeeded from …
  • [goodpass-priv INFO] Login succeeded for elevated Krinkle from …
  • [authevents INFO] Login attempt {event: "login"}

Xl-s8QpAICIAAC7qGr0AAAAG (2020-03-04T18:01:21, GET /wiki/Special:CentralLogin/complete?token=…)

  • [session WARNING] Session "…": Metadata merge failed: {exception}
  • [CentralAuth INFO] Expected key centralauth:central-login-complete-token:… found.
Session "[50]CentralAuthSessionProvider<+:135822:Krinkle>…": Metadata merge failed: MediaWiki\Session\MetadataMergeException: Key "CentralAuthSource" changed

Stack trace:
in /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionProvider.php:205
#0 /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionManager.php(614): MediaWiki\Session\SessionProvider->mergeMetadata(Array, Array)
#1 /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionManager.php(485): MediaWiki\Session\SessionManager->loadSessionInfoFromStore(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))
#2 /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionManager.php(191): MediaWiki\Session\SessionManager->getSessionInfoForRequest(Object(WebRequest))
#3 /srv/mediawiki/php-1.35.0-wmf.22/includes/WebRequest.php(813): MediaWiki\Session\SessionManager->getSessionForRequest(Object(WebRequest))
#4 /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionManager.php(129): WebRequest->getSession()
#5 /srv/mediawiki/php-1.35.0-wmf.22/includes/Setup.php(798): MediaWiki\Session\SessionManager::getGlobalSession()
#6 /srv/mediawiki/php-1.35.0-wmf.22/includes/WebStart.php(89): require_once('/srv/mediawiki/...')
#7 /srv/mediawiki/php-1.35.0-wmf.22/index.php(44): require('/srv/mediawiki/...')
#8 /srv/mediawiki/w/index.php(3): require('/srv/mediawiki/...')
#9 {main}
Pchelolo edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.Mar 4 2020, 9:35 PM
Pchelolo subscribed.

A couple things I've tried to poke:

  • Grepped objectcache logs for possible timeouts to new sessionstore - nothing.
  • Tried to reproduce - logged out and was able to successfully log in, so at least the issue is not persistent.

@Krinkle were you able to login eventually? What steps did you take?

DannyS712 subscribed.Mar 4 2020, 9:58 PM
Reedy added a project: MediaWiki-extensions-OATHAuth.Mar 4 2020, 10:23 PM
Tgr subscribed.Mar 5 2020, 6:10 AM

This means that the session logic expected to find a CentralAuth session but found a local one (different cookies in the browser). Visit e.g. https://en.wikipedia.org/wiki/Special:UserLogin in incognito mode, you'll get the usual wiki session cookie, enwikiSession, and none of the centralauth_* cookies you'd see logged-in, nor any user cookies. That's the local session (needed for the login form CSRF check), which is replaced with the cookies for a CentralAuth session in the reponse to posting your credentials; but then that response also redirects you elsewhere to set up the global CentralAuth session, so maybe the cookies don't stick?

In general, see Manual:How to debug/Login problems for what data is typically needed to retrace what happened.

AMooney subscribed.Mar 27 2020, 1:40 PM

@Krinkle can you update the priority for this task?

daniel triaged this task as Medium priority.Apr 7 2020, 1:05 PM
daniel moved this task from Inbox to Ready (WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.
daniel subscribed.

Putting this into the ready column. The cause isn't entirely clear, but the symptom seems concrete enough to allow for investigation. At the very least, we should be able to improve logging.

Anomie assigned this task to daniel.Apr 8 2020, 5:16 PM
Pchelolo moved this task from Ready (WIP:5) to Later on the Platform Team Workboards (Clinic Duty Team) board.Apr 15 2020, 4:24 PM
TheresNoTime mentioned this in T299193: MediaWiki login failure due to race condition with session cookie.May 31 2022, 2:11 PM
kostajh subscribed.May 31 2022, 2:14 PM

Seems similar to T112730: Failure to OAuth after login on mobile.

Tgr added a comment.May 31 2022, 9:39 PM
In T246943#7970467, @kostajh wrote:

Seems similar to T112730: Failure to OAuth after login on mobile.

That one is probably related to the desktop and mobile domain getting mixed up during the CentralAuth login redirect sequence, and some cookie getting lost as a result.
This might be the same issue, but also simply a session timeout during the 2FA step (secondary authentication).

Aklapper removed daniel as the assignee of this task.Sep 26 2022, 10:30 AM
Aklapper removed subscribers: AMooney, Pchelolo.

Removing task assignee due to inactivity as this open task has been assigned for more than two years. See the email sent to the task assignee on August 22nd, 2022.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome!
If this task has been resolved in the meantime, or should not be worked on ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

Reedy moved this task from Backlog to Bugs on the MediaWiki-extensions-OATHAuth board.Mar 29 2024, 4:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL