Steps to replicate the issue (include links if applicable):
- Go to https://en.m.wikipedia.org/wiki/Special:CreateAccount
- Fill in the form and submit
What happens?:
- I am on https://en.wikipedia.org/wiki/Special:CentralLogin/complete?token={redacted} (note: desktop site, not mobile)
- I see an error message: "No active login attempt is in progress for your session." (centralauth-error-nologinattempt)
- I am not logged-in, but the account has been created
What should have happened instead?:
- I should have been on https://en.m.wikipedia.org/wiki/Special:WelcomeSurvey and I should be logged-in
Other information (browser name/version, screenshots, etc.):
- Closely related tasks T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile T318138: Cannot manually log in on mobile Wikidata (real or test) with probably same underlying issue, but this task is about the account creation workflow. It is possibly the same issue reported in T312042: After log in on mobile Beta Commons, user gets redirected to non-mobile page (and is not logged in there) although I don't understand why we are only recently seeing this in production, whereas T312042 was reported in July 2022.
- I see the same issue on eswiki and cswiki so presumably it affects all Wikipedias.
- Sometimes I am logged-in but I am still on the Special:CentralLogin page instead of Special:WelcomeSurvey, and on desktop instead of mobile
- This redirect issue does not happen on desktop domain
- You can look at reqId:"324772b2-87c1-4245-8264-2c4b1252a8ec" in Logstash to see debug logs from an account creation attempt on mobile.
HTTP request workflow on eswiki:
- POST https://es.m.wikipedia.org/w/index.php?title=Especial:Crear_una_cuenta&returnto=Wikipedia:Portada
- GET https://login.wikimedia.org/wiki/Special:CentralLogin/start?token={redacted}&cpPosIndex=2
- GET https://es.wikipedia.org/wiki/Special:CentralLogin/complete?token={redacted -- different value from above}
I don't know Special:CentralLogin at all, but I assume the tokens for /start and /complete steps should be the same, and here they are not. On desktop, the token for /start/ and /complete also varies, so that is not related to the problem.
Looking at the code, the place where the error is thrown is here in extensions/CentralAuth/includes/Special/SpecialCentralLogin.php:
// Get the user's current login attempt information $attempt = $request->getSessionData( $skey ); if ( !isset( $attempt['secret'] ) ) { $this->showError( 'centralauth-error-nologinattempt' ); return; }