Page MenuHomePhabricator
Create Task
Maniphest T342767

Confusing error message is shown when making an edit with cookies disabled
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

On cs.wikipedia.beta.org I disabled all cookies and attempted to make an edit. My edit was saved but I ended up on https://cs.wikipedia.beta.wmflabs.org/wiki/Special:CentralLogin/complete?token=61d1b1e6759c826333446a2d2ad2e9b8 with the following error message:

There is no active login attempt in your session.

On en.wiki, no such error message is presented when making an anonymous edit while cookies are disabled.

Acceptance criteria
  • Update the displayed error message to more clearly indicate the problem:

Could not establish an active session. This may be because your browser does not store cookies.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
i18n: Update error message shown when the attempt info cannot be fetchedmediawiki/extensions/CentralAuthmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Samwalton9-WMF created this task.Jul 26 2023, 1:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 26 2023, 1:33 PM
Tgr added a project: MediaWiki-extensions-CentralAuth.Jul 26 2023, 11:02 PM
Tgr subscribed.

On enwiki you are not centrally logged in when you make an edit, on an IP masking wiki that needs to happen. I guess this is something we didn't have before - the login page does a cookie-based CSRF check so if you had cookies disabled you never even manage to login. But anonymous editing doesn't involve a CSRF check so the login process will fail in a later step.

What would be the expected behavior?

Samwalton9-WMF added a comment.Jul 27 2023, 11:33 AM
In T342767#9046516, @Tgr wrote:

What would be the expected behavior?

I'm not sure! From a user perspective I'd expect to either be told I can't edit with cookies disabled (as the typical user login form does) or for the process to fail more gracefully - i.e. my edit goes through but I'm not presented with an error message.

Tgr added a comment.Oct 5 2023, 12:46 AM

Do we want to prevent cookieless anonymous editing? It would break a lot of bots (which might or might not be seen as a bad thing).

kostajh moved this task from Inbox to Backlog on the Temporary accounts board.Sep 10 2024, 12:47 PM
kostajh added subscribers: Niharika, kostajh.
In T342767#9226854, @Tgr wrote:

Do we want to prevent cookieless anonymous editing? It would break a lot of bots (which might or might not be seen as a bad thing).

@Tgr do you have a recommendation for what to do here? cc @Niharika

Niharika moved this task from Backlog to Someday / Maybe on the Temporary accounts board.Jun 24 2025, 6:45 AM
Restricted Application added projects: MediaWiki-Platform-Team, Trust and Safety Product Team. · View Herald TranscriptJun 24 2025, 6:45 AM
Tgr added a comment.Jul 1 2025, 4:07 PM
In T342767#10133701, @kostajh wrote:
In T342767#9226854, @Tgr wrote:

Do we want to prevent cookieless anonymous editing? It would break a lot of bots (which might or might not be seen as a bad thing).

@Tgr do you have a recommendation for what to do here? cc @Niharika

Sorry I missed the ping. Some things that come to mind:

  • Get rid of anonymous edit CSRF tokens on temp user wikis. Pro: less confusing (users with no cookie support will just get a message about CSRF cookies), arguably more secure (cf T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block). Con: would need to create a session on the GET request, so more session writes (though probably not by much).
  • Try to provide a more meaningful error to the user after saving the edit. SessionManager does not make it easy to differentiate between no session cookies at all vs. invalid session cookies. Maybe we should fix that. But it seems like a lot of effort for a minor use case so we could just change There is no active login attempt in your session. to There is no active login attempt in your session. (Maybe your device does not store cookies?) or something.
  • Wontfix it. Seems like a fairly minor UX issue.
JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Jul 7 2025, 2:46 PM
Tchanders moved this task from Inbox to Tracking work by others on the Trust and Safety Product Team board.Aug 6 2025, 12:16 PM
JTweed-WMF moved this task from Needs refinement to Waiting on the MediaWiki-Platform-Team board.Aug 28 2025, 2:36 PM
JTweed-WMF moved this task from Waiting to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.
matmarex claimed this task.Aug 28 2025, 2:36 PM
Tgr added a comment.Aug 28 2025, 3:09 PM

rMW366e55a990f1: session: Remember newly created secrets to fix Token::wasNew() fixed the equivalent issue for CSRF tokens, but since the token here is cross-wiki and can't use that, it's not affected.

Let's just do the i18n change, that's near-zero effort, then if someone feels strongly about this issue, we can figure out what else could be done.

Tgr added a comment.Aug 28 2025, 3:18 PM

The exact message is No active login attempt is in progress for your session. aka centralauth-error-nologinattempt. For central login we store a secret in the session and roundtrip it via redirect URL parameters, and this is the message when it's not there in the session at the end of the roundtrip. Maybe we could check if there is a (persisted) session at all and use a different message based on that. I'm not sure it's worth the effort.

Tgr added a comment.Aug 28 2025, 3:18 PM

@matmarex sorry didn't see you claiming the task. Feel free to pick a different solution (or non-solution) if you prefer.

matmarex moved this task from In progress (DO NOT USE) to Next (DO NOT USE) on the MediaWiki-Platform-Team board.Sep 19 2025, 11:30 PM
matmarex removed matmarex as the assignee of this task.Sep 30 2025, 8:01 PM
matmarex subscribed.

Sorry, I claimed this since I was working on rMW366e55a990f1: session: Remember newly created secrets to fix Token::wasNew() and rMW8b0ef86e80e3: Remove vestigial $wgInitialSessionId and related code recently, which were also about behavior when cookies are disabled, but then I didn't get around to working on this. I didn't mean to lock it up for so long. I don't feel strongly at all about how it's fixed, so feel free to do whatever. I can return to this once I'm back from my time off, if no one else does it by then.

OKryva-WMF edited projects, added Product Safety and Integrity; removed Trust and Safety Product Team.Oct 24 2025, 3:14 PM
OKryva-WMF moved this task from Inbox to Triaged (backlog) on the Product Safety and Integrity board.Oct 24 2025, 3:23 PM
Niharika added a comment.Nov 14 2025, 1:41 PM

Let us make the wording change at a minimum. It has come up on the talk page twice in the last week.

Niharika added a comment.Nov 14 2025, 2:39 PM

In general we should modify There is no active login attempt in your session to be more meaningful. I don't think it's clear what is meant by it.

Maybe something like: Could not establish an active session. This may be because your browser does not store cookies.

Does that make more sense?

Get rid of anonymous edit CSRF tokens on temp user wikis. Pro: less confusing (users with no cookie support will just get a message about CSRF cookies), arguably more secure (cf T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block). Con: would need to create a session on the GET request, so more session writes (though probably not by much).

@kostajh what do you think of this idea?

Tchanders subscribed.Nov 17 2025, 10:58 AM
In T342767#11374419, @Niharika wrote:

In general we should modify There is no active login attempt in your session to be more meaningful. I don't think it's clear what is meant by it.

Maybe something like: Could not establish an active session. This may be because your browser does not store cookies.

Does that make more sense?

This sounds fine to me.

Get rid of anonymous edit CSRF tokens on temp user wikis. Pro: less confusing (users with no cookie support will just get a message about CSRF cookies), arguably more secure (cf T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block). Con: would need to create a session on the GET request, so more session writes (though probably not by much).

@kostajh what do you think of this idea?

I guess this would be easier to answer if we did some analysis into the risk vs the expected number of new sessions.

Shall we use this task for the message, and file a new task if we decide to do (or look into doing) the larger fix?

Niharika triaged this task as Medium priority.Nov 17 2025, 11:04 AM
Niharika updated the task description. (Show Details)
Niharika edited projects, added Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)); removed Product Safety and Integrity, Temporary accounts.Nov 17 2025, 11:07 AM
Niharika moved this task from Backlog to Ready on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.
Niharika added a comment.Nov 17 2025, 11:09 AM

Focusing this task on the rewording. We can keep discussing the larger issue in T40417.

hector.arroyo changed the task status from Open to In Progress.Nov 21 2025, 10:51 AM
hector.arroyo claimed this task.
hector.arroyo set the point value for this task to 1.
hector.arroyo moved this task from Ready to In progress on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.
gerritbot added a comment.Nov 21 2025, 10:59 AM

Change #1208301 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/CentralAuth@master] i18n: Update error message shown when the attempt info cannot be fetched

https://gerrit.wikimedia.org/r/1208301

gerritbot added a project: Patch-For-Review.Nov 21 2025, 10:59 AM
hector.arroyo moved this task from In progress to Needs review on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 21 2025, 11:04 AM

Updating the i18n message here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1208301

hector.arroyo moved this task from Backlog to I18n/L10n on the MediaWiki-extensions-CentralAuth board.Nov 21 2025, 11:05 AM
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.Nov 21 2025, 11:39 AM
gerritbot added a comment.Nov 21 2025, 12:47 PM

Change #1208301 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] i18n: Update error message shown when the attempt info cannot be fetched

https://gerrit.wikimedia.org/r/1208301

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.4; 2025-11-25).Nov 21 2025, 1:00 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 21 2025, 1:30 PM
hector.arroyo moved this task from Needs review to Needs QA on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 21 2025, 2:04 PM
hector.arroyo moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team (Q3 Kanban Board).Nov 24 2025, 3:51 PM
dom_walden moved this task from Needs QA to Done on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 25 2025, 11:50 AM
dom_walden subscribed.

This is only a change to a translation file, so moving this along.

kostajh closed this task as Resolved.Nov 25 2025, 11:54 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits