Page MenuHomePhabricator

Login failed/disappeared during 2FA
Open, MediumPublic

Description

Steps for the issue:

  • I opened a www.mediawiki.org page and found I was logged out.
  • I went to the login page and logged-in succesfully.
  • I was shown the 2FA step, where I entered the necessary numbers and submitted the form.

Actual outcome:

Error: No active login attempt is in progress for your session.

I've never seen this issue in the past several years of using 2FA, so I suspect it might be a regression?

Event Timeline

From Logstash around the time I logged in (today around 18:00 UTC):

Xl-s2wpAMNIAAftEcsgAAABP (2020-03-04T18:01:03, POST /w/index.php?title=Special:UserLogin):

  • [CentralAuth INFO] authentication for 'Krinkle' succeeded
  • [CentralAuth INFO] Already fully migrated user 'Krinkle'

Xl-s7gpAICwAAFl9AjsAAAAM (2020-03-04T18:01:18, POST /w/index.php?title=Special:UserLogin)

  • [authentication INFO] OATHAuth user Krinkle entered a valid OTP from …
  • [authentication INFO] Login for Krinkle succeeded from …
  • [goodpass-priv INFO] Login succeeded for elevated Krinkle from …
  • [authevents INFO] Login attempt {event: "login"}

Xl-s8QpAICIAAC7qGr0AAAAG (2020-03-04T18:01:21, GET /wiki/Special:CentralLogin/complete?token=…)

  • [session WARNING] Session "…": Metadata merge failed: {exception}
  • [CentralAuth INFO] Expected key centralauth:central-login-complete-token:… found.
Session "[50]CentralAuthSessionProvider<+:135822:Krinkle>…": Metadata merge failed: MediaWiki\Session\MetadataMergeException: Key "CentralAuthSource" changed

Stack trace:
in /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionProvider.php:205
#0 /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionManager.php(614): MediaWiki\Session\SessionProvider->mergeMetadata(Array, Array)
#1 /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionManager.php(485): MediaWiki\Session\SessionManager->loadSessionInfoFromStore(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))
#2 /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionManager.php(191): MediaWiki\Session\SessionManager->getSessionInfoForRequest(Object(WebRequest))
#3 /srv/mediawiki/php-1.35.0-wmf.22/includes/WebRequest.php(813): MediaWiki\Session\SessionManager->getSessionForRequest(Object(WebRequest))
#4 /srv/mediawiki/php-1.35.0-wmf.22/includes/session/SessionManager.php(129): WebRequest->getSession()
#5 /srv/mediawiki/php-1.35.0-wmf.22/includes/Setup.php(798): MediaWiki\Session\SessionManager::getGlobalSession()
#6 /srv/mediawiki/php-1.35.0-wmf.22/includes/WebStart.php(89): require_once('/srv/mediawiki/...')
#7 /srv/mediawiki/php-1.35.0-wmf.22/index.php(44): require('/srv/mediawiki/...')
#8 /srv/mediawiki/w/index.php(3): require('/srv/mediawiki/...')
#9 {main}
Pchelolo added a subscriber: Pchelolo.

A couple things I've tried to poke:

  • Grepped objectcache logs for possible timeouts to new sessionstore - nothing.
  • Tried to reproduce - logged out and was able to successfully log in, so at least the issue is not persistent.

@Krinkle were you able to login eventually? What steps did you take?

This means that the session logic expected to find a CentralAuth session but found a local one (different cookies in the browser). Visit e.g. https://en.wikipedia.org/wiki/Special:UserLogin in incognito mode, you'll get the usual wiki session cookie, enwikiSession, and none of the centralauth_* cookies you'd see logged-in, nor any user cookies. That's the local session (needed for the login form CSRF check), which is replaced with the cookies for a CentralAuth session in the reponse to posting your credentials; but then that response also redirects you elsewhere to set up the global CentralAuth session, so maybe the cookies don't stick?

In general, see Manual:How to debug/Login problems for what data is typically needed to retrace what happened.

@Krinkle can you update the priority for this task?

daniel triaged this task as Medium priority.Apr 7 2020, 1:05 PM
daniel added a subscriber: daniel.

Putting this into the ready column. The cause isn't entirely clear, but the symptom seems concrete enough to allow for investigation. At the very least, we should be able to improve logging.

That one is probably related to the desktop and mobile domain getting mixed up during the CentralAuth login redirect sequence, and some cookie getting lost as a result.
This might be the same issue, but also simply a session timeout during the 2FA step (secondary authentication).

Aklapper removed subscribers: AMooney, Pchelolo.

Removing task assignee due to inactivity as this open task has been assigned for more than two years. See the email sent to the task assignee on August 22nd, 2022.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome!
If this task has been resolved in the meantime, or should not be worked on ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!