Page MenuHomePhabricator
Create Task
Maniphest T335125

Account creation attempt on mobile Wikipedia domain leads user to desktop Special:CentralLogin/complete, often in logged-out state
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Go to https://en.m.wikipedia.org/wiki/Special:CreateAccount
  • Fill in the form and submit

What happens?:

  • I am on https://en.wikipedia.org/wiki/Special:CentralLogin/complete?token={redacted} (note: desktop site, not mobile)
  • I see an error message: "No active login attempt is in progress for your session." (centralauth-error-nologinattempt)
  • I am not logged-in, but the account has been created

image.png (1×1 px, 269 KB)

What should have happened instead?:

  • I should have been on https://en.m.wikipedia.org/wiki/Special:WelcomeSurvey and I should be logged-in

Other information (browser name/version, screenshots, etc.):

HTTP request workflow on eswiki:

I don't know Special:CentralLogin at all, but I assume the tokens for /start and /complete steps should be the same, and here they are not. On desktop, the token for /start/ and /complete also varies, so that is not related to the problem.

Looking at the code, the place where the error is thrown is here in extensions/CentralAuth/includes/Special/SpecialCentralLogin.php:

// Get the user's current login attempt information
$attempt = $request->getSessionData( $skey );
if ( !isset( $attempt['secret'] ) ) {
	$this->showError( 'centralauth-error-nologinattempt' );
	return;
}

Related Objects

Event Timeline

kostajh created this task.Apr 20 2023, 11:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 20 2023, 11:46 AM
kostajh triaged this task as Unbreak Now! priority.Apr 20 2023, 11:46 AM
kostajh updated the task description. (Show Details)
kostajh updated the task description. (Show Details)Apr 20 2023, 11:49 AM
kostajh added a project: Mobile.
kostajh updated the task description. (Show Details)
kostajh mentioned this in T252244: CentralAuth extension: Code stewardship review.Apr 20 2023, 11:52 AM
kostajh added a project: MediaWiki-Core-AuthManager.
Ladsgroup subscribed.Apr 20 2023, 11:56 AM
kostajh updated the task description. (Show Details)Apr 20 2023, 11:59 AM
kostajh updated the task description. (Show Details)Apr 20 2023, 12:08 PM
kostajh updated the task description. (Show Details)Apr 20 2023, 12:13 PM
kostajh updated the task description. (Show Details)Apr 20 2023, 12:17 PM
kostajh updated the task description. (Show Details)Apr 20 2023, 12:31 PM
kostajh added a comment.Apr 20 2023, 12:37 PM

Wild guess, might this have something to do with the datacenter switchover (T327920)? It doesn't seem that likely given that the creation workflow is functional on desktop, but bringing it up as a possibility.

Otherwise, I think the next step would be to start looking through changes to CentralAuth and MediaWiki core hooks / session code.

kostajh renamed this task from Account creation workflow is broken on mobile domain to Account creation attempt on mobile Wikipedia domain leads user to logged-out state on desktop Special:CentralLogin/complete.Apr 20 2023, 12:51 PM
kostajh updated the task description. (Show Details)Apr 20 2023, 12:53 PM
Tgr subscribed.Apr 20 2023, 12:54 PM

This is probably T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile - local login succeeds but central login fails, presumably due to a mobile -> desktop redirect happening somewhere in the middle of the process and cookies getting lost because of that (the way mobile domain support is hacked onto MediaWiki isn't very reliable). This would affect account creations as well (they are followed by account creation just the same).

At the end, you are logged in on en.m.wikipedia.org but not on en.wikipedia.org. (If you aren't logged on at either, that would be an error in AuthManager, not in CentralAuth. That codebase doesn't change much, is heavily tested, and isn't affected much by browser behavior, so I wouldn't expect it to be the case.) Which of those domains your browser ends up on depends, I think, on how you arrived on the mobile domain (device autodetection vs. going to that domain directly vs. interacting with the mobile/desktop toggle).

T318138: Cannot manually log in on mobile Wikidata (real or test) is also the same issue. Not sure about T318138: Cannot manually log in on mobile Wikidata (real or test) which sounds the same but results in a different error (and it's reported on Beta so all bets are off anyway).

kostajh added a comment.Apr 20 2023, 12:59 PM
In T335125#8796089, @Tgr wrote:

This is probably T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile - local login succeeds but central login fails, presumably due to a mobile -> desktop redirect happening somewhere in the middle of the process and cookies getting lost because of that (the way mobile domain support is hacked onto MediaWiki isn't very reliable). This would affect account creations as well (they are followed by account creation just the same).

Local login succeeds when I use WikimediaDebug to route traffic through a mwdebug server, but otherwise, I am logged out on both mobile and desktop domains.

kostajh added a comment.Apr 20 2023, 1:02 PM
In T335125#8796122, @kostajh wrote:
In T335125#8796089, @Tgr wrote:

This is probably T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile - local login succeeds but central login fails, presumably due to a mobile -> desktop redirect happening somewhere in the middle of the process and cookies getting lost because of that (the way mobile domain support is hacked onto MediaWiki isn't very reliable). This would affect account creations as well (they are followed by account creation just the same).

Local login succeeds when I use WikimediaDebug to route traffic through a mwdebug server, but otherwise, I am logged out on both mobile and desktop domains.

Which also makes me wonder if the datacenter switchover (and multi-DC plumbing more generally) is somehow implicated, because the mwdebug servers are using codfw, and my browser is showing that the GET requests are being served by eqiad. I don't know why this would be failing to work on mobile domain requests, though, and succeeding on desktop.

kostajh renamed this task from Account creation attempt on mobile Wikipedia domain leads user to logged-out state on desktop Special:CentralLogin/complete to Account creation attempt on mobile Wikipedia domain leads user to desktop Special:CentralLogin/complete, often in logged-out state.Apr 20 2023, 1:38 PM
kostajh added subscribers: Zabe, taavi.Apr 20 2023, 1:47 PM
Tgr added a comment.Apr 20 2023, 5:15 PM

Special:CentralAutoLogin is forced to go to the primary DC but Special:CentralLogin doesn't. I wonder if that's an intentional omission.

Tgr added a comment.Apr 20 2023, 5:17 PM

FWIW mwdebug servers are different in a number of ways (slower which might matter for race conditions, Varnish/ATS logic does not run, your request always goes to the same machine which might be relevant for things that use two layers of cache).

kostajh added a project: SRE.Apr 24 2023, 10:28 AM
In T335125#8797112, @Tgr wrote:

Special:CentralAutoLogin is forced to go to the primary DC but Special:CentralLogin doesn't. I wonder if that's an intentional omission.

Tagging SRE for awareness and also to consider the above comment. Should Special:CentralLogin be forced to the primary DC?

Ladsgroup added a subscriber: tstarling.Apr 24 2023, 10:30 AM

That file is mostly written by @tstarling so I recommend getting his opinion on this.

kostajh mentioned this in T335276: Add monitoring of new editor activation, split by wiki, desktop/mobile and experiment variant.Apr 24 2023, 10:47 AM
Marostegui subscribed.Apr 24 2023, 11:13 AM

Tim is back tomorrow, is this still UBN? or can it be reduced to high?

kostajh lowered the priority of this task from Unbreak Now! to High.Apr 24 2023, 11:34 AM
In T335125#8800993, @Marostegui wrote:

Tim is back tomorrow, is this still UBN? or can it be reduced to high?

One could argue that this task meets the standards for "Unbreak Now!" per https://wikitech.wikimedia.org/wiki/Deployments/Holding_the_train#Issues_that_hold_the_train

Major feature regressions
Inability to login/logout/create account for a large portion of users

But since affected users are sometimes logged-in (though never on mobile) and the account is created, allowing the user to login again, I suppose we could justify dropping this to "High" priority.

kostajh assigned this task to Tgr.Apr 25 2023, 11:21 AM
kostajh added a project: Growth-Team (Sprint 0 (Growth Team)).

@Tgr is going to take a time-boxed look into this issue (~2 days).

kostajh moved this task from Incoming to In Progress on the Growth-Team (Sprint 0 (Growth Team)) board.Apr 25 2023, 11:21 AM
kostajh added a comment.Apr 26 2023, 2:14 PM

Problem is still happening, even after the datacenter switchover was completed, so I think we can rule that out. (Assuming that the SessionStorage service is also back to eqiad; I have not verified that.)

Jdlrobson subscribed.Jun 9 2023, 10:33 PM

Could https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/4fddd1269809960b9a7faa0c480ca6a9d735d36e/wmf-config/CommonSettings.php#2767 have something to do with this?

Jdlrobson moved this task from Backlog to Workflow on the MediaWiki-User-login-and-signup board.Jul 13 2023, 4:00 PM
Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Sep 2 2023, 2:05 PM
Tgr mentioned this in T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile.Oct 16 2023, 6:01 AM
KStoller-WMF edited projects, added Growth-Team (Sprint 1 (Growth Team)); removed Growth-Team (Sprint 0 (Growth Team)).Oct 17 2023, 3:08 PM
KStoller-WMF edited projects, added Growth-Team; removed Growth-Team (Sprint 1 (Growth Team)).Oct 17 2023, 3:24 PM
matmarex closed this task as Resolved.Nov 20 2023, 10:19 PM
matmarex added a project: MediaWiki-Platform-Team.
matmarex subscribed.

Looks resolved by @Tgr's changes in T257852.

I tested by registering https://en.m.wikipedia.org/wiki/User:Matma_Rex_test_2023-11-20, I have been redirected to https://en.m.wikipedia.org/w/index.php?title=Special:WelcomeSurvey&returnto=&returntoquery=&group=control&_welcomesurveytoken=<snip> afterwards.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits