Steps to replicate the issue (include links if applicable):
- Open any site, and use example code with console. Use commons.m.wikimedia.org to show you.
(async() => { await mw.loader.using('mediawiki.api'); const api = new mw.Api(); const logintoken = await api.getToken('login'); const params = { action: 'clientlogin', format: 'json', formatversion: '2', logintoken, loginreturnurl: 'example', username: 'example', password: 'example', }; await api.post(params); })();
What happens?: API:Clientlogin send wrong cookie headers, such as this:
set-cookie: centralauth_ss0-User=example; expires=time; Max-Age=2592000; path=/; domain=commons.wikimedia.org; secure; HttpOnly set-cookie: centralauth_User=example; expires=time; Max-Age=2592000; path=/; domain=commons.wikimedia.org; secure; HttpOnly; SameSite=None set-cookie: ss0-centralauth_Session=example; path=/; domain=commons.wikimedia.org; secure; HttpOnly set-cookie: centralauth_Session=example; path=/; domain=commons.wikimedia.org; secure; HttpOnly; SameSite=None
Because cookies set to the wrong domain, its can't login on *.m.wikimedia.org through the api now.
But, *.m.wikipedia.org's cookie domain is like this, all right.:
set-cookie: centralauth_ss0-User=example; expires=time; Max-Age=2592000; path=/; domain=.wikipedia.org; secure; HttpOnly set-cookie: centralauth_User=example; expires=time; Max-Age=2592000; path=/; domain=.wikipedia.org; secure; HttpOnly; SameSite=None set-cookie: ss0-centralauth_Session=example; path=/; domain=.wikipedia.org; secure; HttpOnly set-cookie: centralauth_Session=example; path=/; domain=.wikipedia.org; secure; HttpOnly; SameSite=None
Cookie domain .wikipedia.org includes domian *.m.wikipedia.org, but commons.wikimedia.org is only allowed to be set on commons.wikimedia.org.
What should have happened instead?: Send right cookies headers like submit directly as using the login form on page Special:UserLogin.
set-cookie: centralauth_ss0-User=example; expires=time; Max-Age=2592000; path=/; domain=commons.m.wikimedia.org; secure; HttpOnly set-cookie: centralauth_User=example; expires=time; Max-Age=2592000; path=/; domain=commons.m.wikimedia.org; secure; HttpOnly; SameSite=None set-cookie: ss0-centralauth_Session=example; path=/; domain=commons.m.wikimedia.org; secure; HttpOnly set-cookie: centralauth_Session=example; path=/; domain=commons.m.wikimedia.org; secure; HttpOnly; SameSite=None