Page MenuHomePhabricator
Create Task
Maniphest T351685

I keep getting logged out on Wikisource
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
Tgr
Authored By
aliu
Nov 21 2023, 2:03 AM
Tags
Referenced Files
F41524370: image.png
Nov 22 2023, 7:59 PM
F41524368: image.png
Nov 22 2023, 7:59 PM
F41523028: image.png
Nov 21 2023, 2:15 PM
F41522439: image.png
Nov 21 2023, 2:03 AM
Subscribers
Aklapper
aliu
matmarex
Samwilson
Soda
Tgr
Xover

Description

Steps to replicate the issue (include links if applicable):

  • 1. Log in to Wikipedia and use Firefox, perhaps
  • 2. Log in to any language'd edition of Wikisource (wikisource.org works even less)

What happens?:

I get correctly logged in per central auth stuff, but on any new page load, refresh or wikilink or even just opening the notifications modal, I get logged out behavior. (In the case of the notification modals, they will tell you there are no notifications even if there are)

What should have happened instead?:

I get correct logged in behavior

Software version (skip for WMF-hosted wikis like Wikipedia): Wikisource

Other information (browser name/version, screenshots, etc.):

Waterfox G6.0.5

Console messages:

Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wikipedia.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wikibooks.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wikinews.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wikiquote.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wikiversity.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wikivoyage.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wiktionary.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://www.mediawiki.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://api.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://commons.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://incubator.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://meta.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://species.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://wikimania.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://www.wikidata.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://www.wikifunctions.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwikisource start
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://login.wikimedia.org/wiki/Special:CentralAutoLogin/refreshCookies?type=1x1&wikiid=enwikisource refreshCookies
Some cookies are misusing the recommended “SameSite“ attribute 47
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://meta.wikimedia.org/w/load.php?lang=en&modules=ext.globalCssJs.user&skin=vector-2022&user=Aaron+Liu&version=opsoa startup.js:1046:16
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wikipedia.org/wiki/User:Aaron_Liu/Watchlyst_Greybar_Unsin.js?action=raw&ctype=text/javascript startup.js:1046:16
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://commons.wikimedia.org/w/index.php?title=User:Jack_who_built_the_house/convenientDiscussions.js&action=raw&ctype=text/javascript startup.js:1046:16
Referrer Policy: Ignoring the less restricted referrer policy “origin-when-cross-origin” for the cross-site request: https://en.wikipedia.org/w/index.php?title=User:Gary/comments%20in%20local%20time.js&action=raw&ctype=text/javascript startup.js:1046:16

Here's a list of everything logged under "some cookies are misusing the recommended 'samesite' attribute. Every single ellipsis is a stand-in for does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite:

Cookie “WMF-DP” ... Act_III
Cookie “NetworkProbeLimit” ... Act_III
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... start
Cookie “NetworkProbeLimit” ... 2 refreshCookies
Cookie “enwikisourcemwclientprefs” ... jar.js:86:5
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 index.php
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 checkLoggedIn
Cookie “NetworkProbeLimit” ... 2 Watchlyst_Greybar_Unsin.js
Cookie “centralauth_ss0-User” ... index.php
Cookie “centralauth_ss0-Token” ... index.php
Cookie “ss0-centralauth_Session” ... index.php
Cookie “NetworkProbeLimit” ... index.php
Cookie “centralauth_ss0-User” ... index.php
Cookie “centralauth_ss0-Token” ... index.php
Cookie “ss0-centralauth_Session” ... index.php
Cookie “NetworkProbeLimit” ... index.php
Cookie “NetworkProbeLimit” ... 2 api.php
Cookie “NetworkProbeLimit” ... 2 index.php

If I try to log in to the wikisource.org (without a language prefix), I get the conventional login screen and this error when I try to log in:

image.png (895×549 px, 57 KB)

This time, the console only has these lines:

Some cookies are misusing the recommended “SameSite“ attribute 5
Cookie “ss0-sourceswikiSession” ... index.php
Cookie “centralauth_ss0-User” ... index.php
Cookie “centralauth_ss0-Token” ... index.php
Cookie “ss0-sourceswikiSession” ... index.php
Cookie “NetworkProbeLimit” ...

Details

SubjectRepoBranchLines +/-
CentralAuth: Fix wikisource.org cookie handlingoperations/mediawiki-configmaster+15 -8
Customize query in gerrit

Related Objects

Event Timeline

aliu created this task.Nov 21 2023, 2:03 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptNov 21 2023, 2:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr subscribed.Nov 21 2023, 7:14 AM

Works for me (well, top-level autologin works, so I couldn't test those exact steps).
Sounds like a cookie conflict. Unfortunately I am not really sure how to check your cookies in Firefox, the developer toolbar doesn't seem to go a good job of it.

aliu added a comment.Nov 21 2023, 2:03 PM

I know how to. Which cookies should I check for?

matmarex subscribed.Nov 21 2023, 2:15 PM

This looks similar to T350695. When I visit https://wikisource.org/, my browser sends two sets of CentralAuth cookies, just like T350695#9313140:

image.png (1×3 px, 540 KB)

I'm not currently experiencing the problem, but if one of those sessions expired, I probably would.

aliu added a comment.Nov 22 2023, 7:59 PM

At least on en.wikisource, I only have 1 session ID though. These are present even when not logged in:

image.png (538×637 px, 46 KB)

Multilingual wikisource does in fact give me multiple things, though the first two are identical save for name (the first one is named centralauth_ss0-Token while the second one is just named centralauth_Token)
image.png (344×652 px, 42 KB)

Tgr added a comment.Nov 22 2023, 8:39 PM
In T351685#9349115, @matmarex wrote:

This looks similar to T350695. When I visit https://wikisource.org/, my browser sends two sets of CentralAuth cookies, just like T350695#9313140:

I don't get why. We have

'wikisource' => '.wikisource.org',
'sourceswiki' => '.wikisource.org',

in the $wmgCentralAuthCookieDomain config. At least in a debug shell, it works as expected.

I guess we can add wikisources to rOMWCdf0dafd48dce: CentralAuth: Clear domain cookie when setting non-domain cookie and that will either make it better or make it worse.

In T351685#9353656, @aliu wrote:

Multilingual wikisource does in fact give me multiple things, though the first two are identical save for name (the first one is named centralauth_ss0-Token while the second one is just named centralauth_Token)

Typically what we are looking for with session loss problems is two cookies with identical name but different domain.

Soda subscribed.Nov 22 2023, 8:44 PM

Same here (cannot save a edit on en.wikisource due to being logged in and out in successive requests)

Soda added a comment.EditedNov 22 2023, 8:56 PM
In T351685#9353656, @aliu wrote:

Multilingual wikisource does in fact give me multiple things, though the first two are identical save for name (the first one is named centralauth_ss0-Token while the second one is just named centralauth_Token)

Typically what we are looking for with session loss problems is two cookies with identical name but different domain.

@Tgr I appear to have two cookies called centralauth_Session one with a domain .wikisource.org and another with a domain wikisource.org (This is Chrome 119.0.6045.105 (Official Build) (64-bit))

gerritbot added a comment.Nov 22 2023, 9:22 PM

Change 976864 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] CentralAuth: Fix wikisource.org cookie handling

https://gerrit.wikimedia.org/r/976864

gerritbot added a project: Patch-For-Review.Nov 22 2023, 9:22 PM
Samwilson subscribed.Nov 23 2023, 8:41 AM
Samwilson added a comment.Nov 24 2023, 5:33 AM

I'm only seeing this happen when I'm loading resources from wikisource.org on en.wikisource.org. In my case that was only the InterWikiTransclusion gadget, and with that turned off I'm no longer getting logged out on enwikisource.

aliu added a comment.Nov 24 2023, 2:02 PM

I'm pretty sure I haven't enabled any gadgets on Wikisource.

Soda added a comment.Nov 24 2023, 3:26 PM
In T351685#9356089, @Samwilson wrote:

I'm only seeing this happen when I'm loading resources from wikisource.org on en.wikisource.org. In my case that was only the InterWikiTransclusion gadget, and with that turned off I'm no longer getting logged out on enwikisource.

I agree, I think that might be the culprit, we should ask on scriptorium to disable it especially since it is enabled by default :)

Xover subscribed.Nov 24 2023, 4:10 PM

I've disabled the gadget on enWS, but we have multiple gadgets that crossload code from other projects (HotCat from Commons, Wikidata Framework from an obfuscated code blob in user-space on ruWS, Popups from enWP, etc.) and across the Wikisourcen multiple languages crossload scripts from oldwikisource.

I also see nothing in MediaWiki:InterWikiTransclusion.js that should be able to trigger the behaviour described, so it's not the cause and disabling it can only be a temporary measure.

aliu added a comment.Nov 24 2023, 4:12 PM

Hmm, logging in works now.

aliu added a comment.Nov 24 2023, 4:13 PM

The interlingual Wikisource's login still doesn't work.

Soda added a comment.EditedNov 24 2023, 5:36 PM
In T351685#9356844, @Xover wrote:

I've disabled the gadget on enWS, but we have multiple gadgets that crossload code from other projects (HotCat from Commons, Wikidata Framework from an obfuscated code blob in user-space on ruWS, Popups from enWP, etc.) and across the Wikisourcen multiple languages crossload scripts from oldwikisource.

I also see nothing in MediaWiki:InterWikiTransclusion.js that should be able to trigger the behaviour described, so it's not the cause and disabling it can only be a temporary measure.

The gadget is loading code from wikisource.org which is causing the session cookie conflicts mentioned, this should be temporary untill the patch that Tgr has proposed has been merged and deployed

Samwilson added a comment.Nov 24 2023, 11:45 PM

Yeah it's only the cross-loading from wikisource.org that's the concern, the others (Commons etc.) should be fine.

matmarex added a comment.Nov 25 2023, 4:40 AM
In T351685#9353785, @Tgr wrote:
In T351685#9349115, @matmarex wrote:

This looks similar to T350695. When I visit https://wikisource.org/, my browser sends two sets of CentralAuth cookies, just like T350695#9313140:

I don't get why. We have

'wikisource' => '.wikisource.org',
'sourceswiki' => '.wikisource.org',

in the $wmgCentralAuthCookieDomain config. At least in a debug shell, it works as expected.

I guess we can add wikisources to rOMWCdf0dafd48dce: CentralAuth: Clear domain cookie when setting non-domain cookie and that will either make it better or make it worse.

Yeah, the current configuration looks correct to me.

The domain-less cookies are from before rOMWCbeb76abd7344: Generalize Meta/Commons exceptions for CentralAuth cookie handling. We didn't notice this when making that change, but taking a closer look now, I can see that the old code with regexps for the domains was not setting the domain for sourceswiki, because (unlike every other Wikimedia wiki!) its domain has only two segments – it's just "wikisource.org" and not "www.wikisource.org" – and the regexp did not match it.

This explains why the new cookies for wikisource.org conflict with the old cookies for wikisource.org, like in T350695#9313416, but opposite (old cookies did not have the 'domain' parameter, new ones do).

But this makes me wonder. Even before that config change, the language-specific Wikisources at xx.wikisource.org have been setting cookies with 'domain' set to '.wikisource.org'. Why were they not conflicting with the cookies without 'domain' set by the multilingual Wikisource at wikisource.org?

And I think the answer is that they actually were conflicting, and the configuration for wikisource.org has just been broken for years. I found several bug reports that complain specifically about wikisource.org: T127650, T145545, T263888. However, the problem would go away after they visited xx.wikisource.org, so it was never investigated properly. We fixed it by accident, unfortunately causing this issue instead.

Xover added a comment.Nov 25 2023, 6:12 AM
In T351685#9356966, @Soda wrote:

The gadget is loading code from wikisource.org which is causing the session cookie conflicts mentioned, this should be temporary untill the patch that Tgr has proposed has been merged and deployed

There are at least three other gadgets on enWS that crossload code from mulWS. They're not default, but since this affects users with an account the effect should be the same for those with these enabled. frWS crossloads at least two gadgets and loads code from mulWS in its Common.js (as default as you can get). plWS loads from mulWS in at least one gadget and thrice in Common.js. Smaller projects often load all their gadgets that way (but I haven't checked specifically because they tend to look like this).

IOW, there's nothing really unique about MediaWiki:InterWikiTransclusion.js on enWS in that sense.

The only obvious thing I can think of is that MediaWiki:InterWikiTransclusion.js actually calls a remote API and asks it to render wikitext, whereas the other gadgets operate locally once the code is loaded.

Soda added a comment.Nov 25 2023, 11:04 AM
In T351685#9357218, @Xover wrote:
In T351685#9356966, @Soda wrote:

The gadget is loading code from wikisource.org which is causing the session cookie conflicts mentioned, this should be temporary untill the patch that Tgr has proposed has been merged and deployed

There are at least three other gadgets on enWS that crossload code from mulWS. They're not default, but since this affects users with an account the effect should be the same for those with these enabled. frWS crossloads at least two gadgets and loads code from mulWS in its Common.js (as default as you can get). plWS loads from mulWS in at least one gadget and thrice in Common.js. Smaller projects often load all their gadgets that way (but I haven't checked specifically because they tend to look like this).

IOW, there's nothing really unique about MediaWiki:InterWikiTransclusion.js on enWS in that sense.

The only obvious thing I can think of is that MediaWiki:InterWikiTransclusion.js actually calls a remote API and asks it to render wikitext, whereas the other gadgets operate locally once the code is loaded.

Those three other gadgets probably also affect users who have them enabled. The problem here is not with the gadget itself, but the fact that it is enabled by default.

Tgr added a comment.Nov 26 2023, 7:34 AM
In T351685#9357214, @matmarex wrote:

... because (unlike every other Wikimedia wiki!) its domain has only two segments – it's just "wikisource.org" and not "www.wikisource.org" – and the regexp did not match it.

Oh right, the regex has a dot at the end, I didn't notice that.

And I think the answer is that they actually were conflicting, and the configuration for wikisource.org has just been broken for years. I found several bug reports that complain specifically about wikisource.org: T127650, T145545, T263888. However, the problem would go away after they visited xx.wikisource.org, so it was never investigated properly.

Yeah I think this was just broken, and not noticed because not many people use both old Wikisource and a language-specific one. T124620 was probably also the same issue and we misidentified it (we fixed a bug in CA but it wasn't really the root cause).

Xover added a comment.Nov 26 2023, 7:55 AM

To the degree it is 1) technically feasible and 2) will actually help, I don't think a proposal to rename "wikisource.org" to something with a third segment will be received as an attack on the very foundations of… etc. We tend to call it "Multilingual Wikisource" or mulWS nowadays, and the two-segment name was a call made way back in the mists of time when the alternative was more "oldwikisource" than anything else. I can't predict how the communities will land on the question (they may prefer to maintain the status quo), but asking is at least an option.

Last I heard, renaming a wiki was infeasible in practice; but if that's changed and mulWS is the only oddball and it's causing issues like this one periodically…

Tgr added a comment.Nov 26 2023, 9:25 AM
In T351685#9357570, @Xover wrote:

Last I heard, renaming a wiki was infeasible in practice

Not infeasible but a lot of work, while fixing this bug directly isn't hard.

but if that's changed and mulWS is the only oddball and it's causing issues like this one periodically…

It's definitely an outlier and it would be nice not to have to think about it. Not sure if it's worth the effort for a rename, though. Anyway, the relevant task is T64717: Move oldwikisource on www.wikisource.org to mul.wikisource.org.

(We could also maybe just flip the www.wikisource.org -> wikisource.org redirect. All of our other multilingual wikis on a second-level domain, like mediawiki.org or wikidata.org, behave that way. Granted wikisource is the only wiki which has both a generic version and a language family, so maybe there is some special reason I'm missing that applies to it.)

larissagaulia moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Nov 27 2023, 12:59 PM
larissagaulia edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
matmarex moved this task from Radar to Current Sprint on the MediaWiki-Platform-Team board.Nov 27 2023, 4:27 PM
matmarex edited projects, added MediaWiki-Platform-Team; removed MediaWiki-Platform-Team (Radar).

Scheduled for deployment today: https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20231127T2100

gerritbot added a comment.Nov 27 2023, 9:04 PM

Change 976864 merged by jenkins-bot:

[operations/mediawiki-config@master] CentralAuth: Fix wikisource.org cookie handling

https://gerrit.wikimedia.org/r/976864

Stashbot added a comment.Nov 27 2023, 9:04 PM

Mentioned in SAL (#wikimedia-operations) [2023-11-27T21:04:27Z] <cjming@deploy2002> Started scap: Backport for [[gerrit:976864|CentralAuth: Fix wikisource.org cookie handling (T351685)]]

Stashbot added a comment.Nov 27 2023, 9:05 PM

Mentioned in SAL (#wikimedia-operations) [2023-11-27T21:05:43Z] <cjming@deploy2002> cjming and tgr: Backport for [[gerrit:976864|CentralAuth: Fix wikisource.org cookie handling (T351685)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Maintenance_bot removed a project: Patch-For-Review.Nov 27 2023, 9:10 PM
Stashbot added a comment.Nov 27 2023, 9:15 PM

Mentioned in SAL (#wikimedia-operations) [2023-11-27T21:15:54Z] <cjming@deploy2002> Finished scap: Backport for [[gerrit:976864|CentralAuth: Fix wikisource.org cookie handling (T351685)]] (duration: 11m 26s)

Tgr closed this task as Resolved.Nov 27 2023, 9:36 PM
Tgr claimed this task.

Should be fixed, please reopen if you still experience the issue.

aliu added a comment.Nov 27 2023, 9:40 PM

Yep, fixed!

matmarex mentioned this in T127650: Can't log in multilingual wikisource.Nov 28 2023, 10:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL