Page MenuHomePhabricator

CentralAuth edge login broken on desktop (coinciding with SameSite rollout)
Open, HighPublic

Description

After logging in on, say, hu.wikipedia.org:

  • the login itself works
  • second-level domain cookies work - I am instantly logged in on en.wikipedia.org
  • edge login doesn't work (not necessarily, see comments) - I am not instantly logged in an any of the sister projects
  • autologin works - if I wait a second or two, I get logged in on any project.

Tested in Chrome 65, 83 and 84 on Ubuntu (on mobile and desktop; also with and without "keep me logged in" - neither seems to make much difference). samesite-sandbox.glitch.me suggests I am not opted into the new SameSite treatment yet.

I think the start of this coincided with the SameSite patch rollout.

See also T258121: Logging in to a wiki sometimes fails with 'sessionfailure' error (coinciding with SameSite rollout) which might be a different incarnation of the same cookie handling problem.

Event Timeline

Tgr triaged this task as High priority.Jul 15 2020, 2:35 PM

This seems significantly more broken now (although the behavior is non-deterministic so it's entirely possible that it was the same on Monday and I just did not notice it). Both edge login and autologin fail sometimes; there is no obvious pattern. Same behavior in Chrome 84 (which requires SameSite) and 83 (which doesn't).

I'm also seeing two different types of autologin: an mw.notice message, and the animation replacing the user toolbar. (I know these have been around for a long time; I'm not sure what their exact relationship is.) Once, I got the notice on visiting a new wiki, then the animation on the next reload, then normal logged-in state on the third. (Which is weird. Did autologin on the first request fail to set cookies somehow? This was on 83, so not a SameSite issue.)

Visiting the login page (which triggers CA autologin) always seems to work.

In seems like the second-level-domain centralauth_Session cookie is only set for the current domain and for loginwiki.

Special:CentralAutoLogin/start sets an anonymous session for some projects (which is expected behavior) but only outputs a bunch of deleted cookies for others. On the projects in the first group, autologin (but not edge login) works. On the second, it doesn't.
The delete cookies are in themselves not that surprising, I've probably had a session on those wikis, which was invalidated when I logged out, so SessionManager is clearing them on the next visit. But that should not prevent initating the anonymous session, and apparently it does.

There is also a massive amount of SameSite logspam in the Chrome developer console, presumably due to all the non-authentication cookies. Unhelpfully, the errors don't name which cookie they are about. We should consider an explicit SameSite=Lax (or None) default for them, to get rid of the noise.

Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)
Tgr renamed this task from CentralAuth edge login broken on desktop to CentralAuth edge login broken on desktop (coinciding with SameSite rollout).Jul 17 2020, 1:13 PM