Page MenuHomePhabricator
Create Task
Maniphest T276885

Sessions are not shared between the main app server and the API server
Closed, ResolvedPublic8 Estimated Story PointsBUG REPORT
Actions

Description

Bug report

Steps to Reproduce:

  1. Go to https://xtools.wmflabs.org/login.
  2. Click “Allow” button.
  3. Click “Automated Edits — Analysis of semi-automated and non-automated contributions” button.
  4. Wait for the page to loading complete and then refresh the page.

Actual Results:
You have been logged out.

Expected Results:
You are still logged in.

Conclusion

Some tools like the AutoEdits index page make an internal API request whihc gets re-reouted to the API server. Both have their own separate caching systems. and that there, my friends, is the problem! They need to be shared. We would have needed to come up with a solution for this soon anyway, as in the future we will offer API endpoints requiring authentication.

Solution

Using Redis would be ideal, but rather than set up our own Redis instance, or rely on Toolforge's, we could instead use MariaDB storage as provided by Trove from Cloud VPS. This could be used to store both session data and the various metrics we collect, all in one place.

Related Objects

Event Timeline

IN created this task.Mar 9 2021, 7:47 AM
MusikAnimal triaged this task as High priority.Mar 9 2021, 8:14 PM
MusikAnimal subscribed.

I'm assuming this is the same issue as T224382: Investigate why tools do not stay logged in for the duration of the session cookie, but I really like you found a way to reliably reproduce it! This has been a long-standing issue and it's quite a mystery as to why it happens. I will try to look more into this soon.

MusikAnimal moved this task from Backlog to General / other on the XTools board.Mar 9 2021, 8:14 PM
IN renamed this task from Xtools accidentally logged out to XTools accidentally logged out.Mar 10 2021, 11:27 PM
1234qwer1234qwer4 subscribed.May 5 2021, 11:35 AM
1234qwer1234qwer4 added a comment.May 5 2021, 7:31 PM

Out of everything it had to be AutoEdits which causes the problem. I clicked on every one of the tools, and none of the others resulted in a logout. This made testing new AutoEdits configurations in sandbox mode nearly impossible.

MusikAnimal added a comment.May 5 2021, 7:38 PM
In T276885#7063598, @1234qwer1234qwer4 wrote:

Out of everything it had to be AutoEdits which causes the problem. I clicked on every one of the tools, and none of the others resulted in a logout. This made testing new AutoEdits configurations in sandbox mode nearly impossible.

Yes, I think T224382 is a more general problem (sessions don't persist but for so long), but indeed there is something weird going on with AutoEdits, specifically. I've done extensive testing and still can't figure it out :( I'm not giving up, though!

When I test changes to the config, I usually go to result page directly (i.e. https://xtools.wmflabs.org/autoedits/meta.wikimedia.org/1234qwer1234qwer4?usesandbox=1), and I'm not logged out as frequently that way. Apparently no matter what, browsing to the form page at https://xtools.wmflabs.org/autoedits will delete your session cookie, so do avoid that. Apologies for the inconvenience!

1234qwer1234qwer4 added a comment.May 5 2021, 7:45 PM

I also noticed that when I load the sandbox mode page while logged out, resulting in the warning message that the production config is used, and log in from there, I am displayed as logged in and the sandbox config is in fact used, but the warning is still shown. Possibly that's related.

IN added a comment.EditedJul 25 2021, 11:50 AM
In T276885#7063616, @MusikAnimal wrote:

Apparently no matter what, browsing to the form page at https://xtools.wmflabs.org/autoedits will delete your session cookie, so do avoid that. Apologies for the inconvenience!

So this bug is unfixable? Or can we fix it?

IN renamed this task from XTools accidentally logged out to XTools accidentally logged out (browsing to the form page at https://xtools.wmflabs.org/autoedits will delete your session cookie).Jul 25 2021, 11:52 AM
IN renamed this task from XTools accidentally logged out (browsing to the form page at https://xtools.wmflabs.org/autoedits will delete your session cookie) to Visit some pages on XTool can accidentally logged out (browsing to the form page at https://xtools.wmflabs.org/autoedits then delete your session cookie).Jul 25 2021, 11:54 AM
IN renamed this task from Visit some pages on XTool can accidentally logged out (browsing to the form page at https://xtools.wmflabs.org/autoedits then delete your session cookie) to Visit some pages on XTool can accidentally logged out (browsing to the form page at https://xtools.wmflabs.org/autoedits will be delete your session cookie).
IN renamed this task from Visit some pages on XTool can accidentally logged out (browsing to the form page at https://xtools.wmflabs.org/autoedits will be delete your session cookie) to Browsing some pages on XTool can accidentally logged out (browsing to the form page at https://xtools.wmflabs.org/autoedits will be delete your session cookie).
1234qwer1234qwer4 renamed this task from Browsing some pages on XTool can accidentally logged out (browsing to the form page at https://xtools.wmflabs.org/autoedits will be delete your session cookie) to AutoEdits start page deletes your session cookie.Jul 25 2021, 11:56 AM

Sorry, the latest titles are very ungrammatical.

IN added a comment.Jul 25 2021, 11:56 AM
This comment was removed by IN.
IN renamed this task from AutoEdits start page deletes your session cookie to Browsing XTools' AutoEdits start page deletes your session cookie.Jul 25 2021, 11:58 AM

This title should be the best.

IN renamed this task from Browsing XTools' AutoEdits start page deletes your session cookie to Browsing XTools' AutoEdits start page deletes your session cookie in XTools.Jul 25 2021, 4:06 PM

Prevents the title from being interpreted as deleting all session coocie.

IN added a project: User-IN.Aug 29 2021, 6:08 AM
IN moved this task from 尚未分类 Not yet classified to 漏洞 Glitch on the User-IN board.Sep 17 2021, 6:37 AM
MusikAnimal claimed this task.Apr 12 2023, 4:21 AM

Mystery solved! The AutoEdits page makes a request to the XTools API (to fetch the tool names for the given wiki). This means the request is routed to the dedicated API server, and since we're using the filesystem for session storage, there's a session mismatch and boom -- your session is now that of the API server! That explains why this bug never surfaced locally or on staging, which run on a single server. It might also be the cause of T224382, as various other parts of XTools will also make internal API requests, but I'm not 100% sure about that yet.

At any rate, we want shared sessions anyway as we hope to eventually introduce authenticated API access. I'm going to reword this ticket to encompass that effort.

MusikAnimal renamed this task from Browsing XTools' AutoEdits start page deletes your session cookie in XTools to Sessions are not shared between the main app server and the API server.Apr 12 2023, 4:34 AM
MusikAnimal changed the task status from Open to In Progress.
MusikAnimal updated the task description. (Show Details)
MusikAnimal set the point value for this task to 8.
I subscribed.Apr 12 2023, 4:38 AM

It's great that this task is finally beginning to be solved

MusikAnimal mentioned this in rXT60524e223d93: config: switch to using mariadb for session handling.Apr 12 2023, 5:31 AM
MusikAnimal moved this task from General / other to Pending deployment on the XTools board.Apr 12 2023, 6:27 AM

Fixed! Will go out with XTools 3.17 which should finally be released either this week or next.

1234qwer1234qwer4 awarded a token.Apr 12 2023, 8:08 AM
MusikAnimal closed this task as Resolved.Apr 20 2023, 12:29 AM
MusikAnimal moved this task from Pending deployment to Complete on the XTools board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL