Page MenuHomePhabricator

Cross-wiki session loss on Wikimedia wikis
Closed, ResolvedPublic

Description

Steps to reproduce (probably non-deterministic): log in and open https://www.wikidata.org/ and https://commons.wikimedia.org/ in two browser tabs. When you refresh one, your session is lost in the other (when you refresh there as well, you get an anonymous initial pageview and then the "You are centrally logged in..." notice when CentralAuth autologin kicks in).

Event Timeline

Also the interaction: wikidatawiki <> dewiki - the same problem.

There has been a spike of Failed to load session, unpersisting log events which clearly coincides with the backport:

Screenshot Capture - 2022-05-31 - 16-11-12.png (285×676 px, 22 KB)

Change 801683 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.39.0-wmf.13] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801683

Change 801683 merged by jenkins-bot:

[mediawiki/core@wmf/1.39.0-wmf.13] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801683

Tgr changed the task status from Duplicate to Resolved.EditedMay 31 2022, 2:52 PM

The revert helped. I'm not really sure what happened. I noticed the normal session cookie and the legacy SameSite session cookie (ss0-*) having a different value, so maybe it's due cross-domain AJAX requests where the browser only sends one of those cookies and it gets changed but the other doesn't?

(Although some people say they could reproduce this with two tabs on the same site, and SameSite cookies wouldn't have any special behavior there.)

Change 801748 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.39.0-wmf.14] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801748

Change 801749 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801749

Change 801748 merged by jenkins-bot:

[mediawiki/core@wmf/1.39.0-wmf.14] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801748

Change 801749 merged by jenkins-bot:

[mediawiki/core@master] Revert "Tombstone the old session on SessionBackend::resetId()"

https://gerrit.wikimedia.org/r/801749

Here are some relevant log frequencies - the patch was deployed at 11:01 UTC on Tuesday and undeployed at 14:46, I think? (It did not get logged in SAL or here for some reason, and my IRC bouncer's clock is way off).

channelmessagegraph
sessionPersisting session due to no pre-existing stored session
Screenshot Capture - 2022-06-01 - 19-15-39.png (285×670 px, 20 KB)
sessionPersisting session for unknown reason
Screenshot Capture - 2022-06-01 - 19-17-00.png (286×668 px, 21 KB)
sessionPersisting session for renewal
Screenshot Capture - 2022-06-01 - 19-18-02.png (304×681 px, 20 KB)
sessionFailed to load session, unpersisting
Screenshot Capture - 2022-06-01 - 19-19-00.png (288×673 px, 20 KB)
sessionSession "{session}": Metadata merge failed: Key "CentralAuthSource" changed
Screenshot Capture - 2022-06-01 - 19-19-50.png (282×676 px, 19 KB)
sessionSession "{session}": Unverified user provided and no metadata to auth it
Screenshot Capture - 2022-06-01 - 19-21-16.png (280×671 px, 19 KB)
sessionSession "{session}": Metadata has an anonymous user, but a non-anon user was provided
Screenshot Capture - 2022-06-01 - 19-22-33.png (289×676 px, 18 KB)
authenticationLogin for {user} succeeded from {clientip}
Screenshot Capture - 2022-06-01 - 19-24-42.png (287×678 px, 20 KB)

Most of these are normal side effects of the session churn. I'm not sure what to make of the Metadata has an anonymous user, but a non-anon user was provided one, or the drop in Persisting session due to no pre-existing stored session is probably