On an internal wiki of ours, every now and then we have a weird authentication failure, such as in this image:
We did some digging, and found this in the logs:
[session] Sealed secret has been tampered with, aborting. #0 /var/www/html/includes/auth/AuthManager.php(2276): MediaWiki\Session\Session->getSecret(string) #1 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(113): MediaWiki\Auth\AuthManager->setAuthenticationSessionData(string, string) #2 /var/www/html/includes/specialpage/SpecialPage.php(600): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute(NULL) #3 /var/www/html/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL) #4 /var/www/html/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext) #5 /var/www/html/includes/MediaWiki.php(947): MediaWiki->performRequest() #6 /var/www/html/includes/MediaWiki.php(547): MediaWiki->main() #7 /var/www/html/index.php(53): MediaWiki->run() #8 /var/www/html/index.php(46): wfIndexMain() #9 {main} [...A lot of messages about saving sessions to objectcache...] [PluggableAuth] ERROR: return to URL is null or empty
Steps to replicate the issue (include links if applicable):
- Use a pluggableAuth workflow to sign up (We use WSOAuth )
- Find a way to create the issue Sealed secret has been tampered with, aborting. during execution of $this->authManager->setAuthenticationSessionData( self::USERNAME_SESSION_KEY, $username ); in PluggableAuthLogin.php.
What happens?:
You get an error as described above
What should have happened instead?:
Authentication was successful, so you should not get an error.
Software version (skip for WMF-hosted wikis like Wikipedia):
Mediawiki 1.35
I could fix this issue as follows:
diff diff --git a/includes/PluggableAuthLogin.php b/includes/PluggableAuthLogin.php index 21ec13c..033f13a 100644 --- a/includes/PluggableAuthLogin.php +++ b/includes/PluggableAuthLogin.php @@ -79,7 +79,7 @@ class PluggableAuthLogin extends UnlistedSpecialPage { $authManager->setAuthenticationSessionData( self::ERROR_SESSION_KEY, $error ); } - $returnToUrl = $authManager->getAuthenticationSessionData( + $returnToUrl = $authManager->getRequest()->getSession()->getSecret( self::RETURNTOURL_SESSION_KEY ); if ( $returnToUrl === null || strlen( $returnToUrl ) === 0 ) { wfDebugLog( 'PluggableAuth', 'ERROR: return to URL is null or empty' ); diff --git a/includes/PluggableAuthPrimaryAuthenticationProvider.php b/includes/PluggableAuthPrimaryAuthenticationProvider.php index 4fcccd7..55b35be 100644 --- a/includes/PluggableAuthPrimaryAuthenticationProvider.php +++ b/includes/PluggableAuthPrimaryAuthenticationProvider.php @@ -25,7 +25,7 @@ class PluggableAuthPrimaryAuthenticationProvider extends AbstractPrimaryAuthenti } } $url = SpecialPage::getTitleFor( 'PluggableAuthLogin' )->getFullURL(); - $this->manager->setAuthenticationSessionData( + $this->manager->getRequest()->getSession()->setSecret( PluggableAuthLogin::RETURNTOURL_SESSION_KEY, $request->returnToUrl ); $this->manager->setAuthenticationSessionData( PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY, $extraLoginFields );
but I do not know if you want this to be done this way.
Any ideas on why Sealed secret has been tampered with is occurring are more than welcome!