API:Clientlogin send wrong cookie headers on mobile domains
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	AnYiLin
	Jan 31 2023, 3:51 AM

Description

Steps to replicate the issue (include links if applicable):

Open any site, and use example code with console. Use commons.m.wikimedia.org to show you.

(async() => {
	await mw.loader.using('mediawiki.api');
	const api = new mw.Api();
	const logintoken = await api.getToken('login');
	const params = {
		action: 'clientlogin',
		format: 'json',
		formatversion: '2',
		logintoken,
		loginreturnurl: 'example',
		username: 'example',
		password: 'example',
	};
	await api.post(params);
})();

What happens?: API:Clientlogin send wrong cookie headers, such as this:

set-cookie: centralauth_ss0-User=example; expires=time; Max-Age=2592000; path=/; domain=commons.wikimedia.org; secure; HttpOnly
set-cookie: centralauth_User=example; expires=time; Max-Age=2592000; path=/; domain=commons.wikimedia.org; secure; HttpOnly; SameSite=None
set-cookie: ss0-centralauth_Session=example; path=/; domain=commons.wikimedia.org; secure; HttpOnly
set-cookie: centralauth_Session=example; path=/; domain=commons.wikimedia.org; secure; HttpOnly; SameSite=None

Because cookies set to the wrong domain, its can't login on *.m.wikimedia.org through the api now.

But, *.m.wikipedia.org's cookie domain is like this, all right.:

set-cookie: centralauth_ss0-User=example; expires=time; Max-Age=2592000; path=/; domain=.wikipedia.org; secure; HttpOnly
set-cookie: centralauth_User=example; expires=time; Max-Age=2592000; path=/; domain=.wikipedia.org; secure; HttpOnly; SameSite=None
set-cookie: ss0-centralauth_Session=example; path=/; domain=.wikipedia.org; secure; HttpOnly
set-cookie: centralauth_Session=example; path=/; domain=.wikipedia.org; secure; HttpOnly; SameSite=None

Cookie domain .wikipedia.org includes domian *.m.wikipedia.org, but commons.wikimedia.org is only allowed to be set on commons.wikimedia.org.

What should have happened instead?: Send right cookies headers like submit directly as using the login form on page Special:UserLogin.

set-cookie: centralauth_ss0-User=example; expires=time; Max-Age=2592000; path=/; domain=commons.m.wikimedia.org; secure; HttpOnly
set-cookie: centralauth_User=example; expires=time; Max-Age=2592000; path=/; domain=commons.m.wikimedia.org; secure; HttpOnly; SameSite=None
set-cookie: ss0-centralauth_Session=example; path=/; domain=commons.m.wikimedia.org; secure; HttpOnly
set-cookie: centralauth_Session=example; path=/; domain=commons.m.wikimedia.org; secure; HttpOnly; SameSite=None

Related Objects

Mentioned In: T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox
Mentioned Here: T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile
T156847: Core should be aware of the domain it is running on and render mobile domains where necessary
T195494: Handle mobile domains in core

Event Timeline

AnYiLin created this task.Jan 31 2023, 3:51 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2023, 3:51 AM

AnYiLin triaged this task as Unbreak Now! priority.Jan 31 2023, 3:58 AM

AnYiLin updated the task description. (Show Details)

AnYiLin updated the task description. (Show Details)Jan 31 2023, 4:01 AM

@AnYiLin can you explain why you marked this as Unbreak now? Did this previously work and it stopped working (a regression)?

@Legoktm I don't know your criteria for prioritization. I just think Unbreak is more urgent than High.

Did this previously work and it stopped working (a regression)?

As I described above, it really doesn't work anymore. I'm not sure if it worked before.

OK, see https://www.mediawiki.org/wiki/Phabricator/Help#Setting_task_priority - I've reset the priority for now.

Bawolff renamed this task from API:Clientlogin send wrong cookie headers to API:Clientlogin send wrong cookie headers on mobile domains.Jan 31 2023, 4:19 AM

AnYiLin updated the task description. (Show Details)Jan 31 2023, 5:27 AM

AnYiLin added a project: MediaWiki-Core-AuthManager.Jan 31 2023, 6:40 AM

Aklapper edited projects, added MediaWiki-Action-API; removed API Platform.Jan 31 2023, 11:24 AM

I can reproduce in the mobile version of mediawiki very well. Add the mobile version tag and let their staff drive over to have a look.

@AnYiLin You seem to have a way to get around this bug. Can you write the script for us first?

AnYiLin added a comment.Feb 7 2023, 5:19 AM

This comment was removed by AnYiLin.

• I mentioned this in T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.Feb 19 2023, 3:25 PM

Not great but login will still work because of the second-level domain cookies.

T156847: Core should be aware of the domain it is running on and render mobile domains where necessary (or more generally T195494: Handle mobile domains in core) is the related core task.

在T328397#8631007中，@Tgr写道：

Not great but login will still work because of the second-level domain cookies.

Emm, I think domain commons.wikimedia.org can set cookie on .commons.wikimedia.org commons.wikimedia.org .wikimedia.org wikimedia.org but can not set on commons.m.wikimedia.org.

Moblie domain is commons.m.wikimedia.org not m.commons.wikimedia.org.

Jdlrobson moved this task from Backlog to Functional on the MediaWiki-User-login-and-signup board.Jul 13 2023, 4:00 PM

Fixed in T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile. Confirmed we are setting all cookies on commons.m.wikimedia.org now (technically, don't set a domain at all).

Tgr closed this task as Resolved.Dec 4 2023, 11:22 PM

Tgr claimed this task.

API:Clientlogin send wrong cookie headers on mobile domainsClosed, ResolvedPublicBUG REPORTActions

Description

Related Objects

Event Timeline

API:Clientlogin send wrong cookie headers on mobile domains
Closed, ResolvedPublicBUG REPORT
Actions