Page MenuHomePhabricator
Create Task
Maniphest T354910

Create simple MediaWiki session handler for remote login
Open, Needs TriagePublic
Actions

Description

CookieSessionProvider is optimized to be used with a password-based provider, and even for that it has a bit of legacy cruft. It sets six cookies: <wiki>_session, <wiki>UserID, <wiki>UserName, <wiki>Token (for the "keep logged in" option), <wiki>LoggedOut (for cache breaking) and forceHTTPS. CentralAuthSessionProvider extends this with four more cookies, centralauth_Session, centralauth_User, centralauth_Token, centralauth_LoggedOut. It's a bit over the top even for our current authentication flows; once we move authentication off the wiki (T348388: SUL3: Use a dedicated domain for login and account creation), we won't need most of these.

We should probably create a simpler session handler for wikis which use a remote identity provider, maybe split in a core and a CentralAuth part like CookieSessionProvider / CentralAuthSessionProvider. (Or maybe we should just figure out how to bring the central session concept into AuthManager.) Probably just needs four things:

  • The session cookie, always per-wiki (since we use it to store session data like CSRF which is also per-wiki). Maybe we don't even really need this and can just use a hash of the central session ID? We'd have to rethink how ID reset works though.
  • A proof-of-central-login token, which can be confiugred to be set on the parent domain. CentralAuthSessionProvider uses a separate central session id + central user token cookie. We can do that, but if we can make the "are we centrally logged in" check unobtrusive enough, maybe it's not really needed.
  • The logged-out cookie, and forceHTTPS for non-Wikimedia wikis; these can also be set on the parent domain.

Related Objects

Event Timeline

Tgr created this task.Jan 11 2024, 9:43 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJan 11 2024, 9:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a comment.Jan 13 2024, 3:51 AM

Although storing the user name or ID in a cookie does have modest security benefits as it ties the session to the user (it's also linked in other ways but an extra check probably doesn't hurt and having an extra cookie is not a big cost).

larissagaulia moved this task from Inbox, needs triage to Not planned (Patches welcome!) on the MediaWiki-Platform-Team board.Jan 15 2024, 3:48 PM
ArielGlenn subscribed.Jan 21 2024, 3:20 PM
Bugreporter moved this task from Backlog to Central session, SSO (autologin) and centralauthtoken on the MediaWiki-extensions-CentralAuth board.Mar 5 2024, 11:37 AM
JTweed-WMF edited projects, added MediaWiki-Platform-Team (Roadmap); removed MediaWiki-Platform-Team.Jan 22 2025, 3:45 PM
JTweed-WMF moved this task from Now => Move to Inbox to Parking Lot on the MediaWiki-Platform-Team (Roadmap) board.
Tgr mentioned this in T394012: Decide how to expose session information outside of MediaWiki.May 13 2025, 10:56 AM
OWresch-WMF moved this task from Roadmap to Not planned / Patches welcome on the MediaWiki-Platform-Team board.Tue, Jan 20, 11:18 AM
OWresch-WMF edited projects, added MediaWiki-Platform-Team; removed MediaWiki-Platform-Team (Roadmap).
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits