Disabling PHP session handling breaks OAuth requests utilising CSRF tokens
Open, Needs TriagePublicBUG REPORT
Actions

Assigned To

None

Authored By

	JaydenKieran
	Dec 13 2023, 5:31 AM

Description

Steps to replicate the issue (include links if applicable):

Set $wgPHPSessionHandling = 'disable'; in LocalSettings.php
Enable the OAuth extension
Create a new OAuth (2.0) consumer, not owner-only, not confidential, and approve it
Proceed through the OAuth authorization_code flow and obtain an access token
Make a request to api.php?action=query&meta=tokens&type=csrf with an Authorization: Bearer <access_token> header to obtain a CSRF token
Make a request to api.php?action=edit with the same Authorization header, and the CSRF token passed in the body as token

What happens?:

An error is returned which states "Invalid CSRF token" and the edit doesn't occur.

What should have happened instead?:

The edit should be successfully made.

Software version (skip for WMF-hosted wikis like Wikipedia): 1.39.5

Other information (browser name/version, screenshots, etc.):

The problem also occurs on the api.php?action=checktoken&type=csrf route (which simply returns "invalid"), and presumably any other authenticated route which requires a CSRF token.

Related Objects

Mentioned Here: T302623: FY2022-2023: Improve Backend Pageview Timing

Event Timeline

JaydenKieran created this task.Dec 13 2023, 5:31 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 13 2023, 5:31 AM

I note that in T302623#8566372, it is clear that there is an intention to phase out PHP session handling. This seems like a hard blocker right now.

TehKittyCat subscribed.Dec 14 2023, 2:46 AM

Disabling PHP session handling breaks OAuth requests utilising CSRF tokensOpen, Needs TriagePublicBUG REPORTActions

Description

Related Objects

Event Timeline

Disabling PHP session handling breaks OAuth requests utilising CSRF tokens
Open, Needs TriagePublicBUG REPORT
Actions