Page MenuHomePhabricator
Create Task
Maniphest T355280

Try to connect to central session before temp user creation
Open, Needs TriagePublic
Actions

Description

When a temp user visits a new wiki, they might get detached from they central session and appear logged out, due to the issues described in T345249: Mitigate phase-out of third-party cookies in CentralAuth. Clicking on the login link should still work - the workaround in T326281: Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies) seems pretty robust so far. But if they start editing a page instead, that creates a temporary user first and does central login only after that, so they would end up as different temp users on different wikis. (I think. I haven't found an easy way to verify it. On beta cross-domain cookies always work, because of T345249#9464539 I think.)

If this is indeed the case, not sure how we could prevent it. For edits via the web form, we could just do a top-level autologin when the user opens the edit form. But for JS-based editors which open without reloading the page, that would be too disruptive. Automatically rename/merge the second temp user when the browser is doing the after-edit central login and the login wiki finds out that they are already logged in as a different users? That seems very complicated.

Related Objects
Search...

Event Timeline

Tgr created this task.Jan 18 2024, 3:59 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJan 18 2024, 3:59 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a subtask: T355281: Set up some beta cluster wikis with different registrable domain.Jan 18 2024, 5:33 AM
Tchanders added subscribers: Tchanders, Batorsz, Urbanecm_WMF.Jan 18 2024, 8:19 AM
Tgr added a parent task: T326937: Prepare CentralAuth extension for IP Masking.Jan 19 2024, 12:36 AM
matmarex subscribed.Jan 22 2024, 4:25 PM
matmarex unsubscribed.
matmarex subscribed.Jan 22 2024, 4:28 PM
Tgr mentioned this in T355621: Gather metrics about the impact of third-party cookie blocking on login.Jan 29 2024, 9:51 AM
Tgr added a comment.Jan 30 2024, 10:48 PM

I can see two ways of handling this:

  • Try to ensure the user is logged in by the time of the edit, by doing a top-level redirect either when they open the editor or when they submit the edit. This is strightforward for the old editor, but not really possible for JS-based editors as far as I can see. (Maybe via a popup window?)
  • After the edit, when we do a central login redirect, special-case the situation where the user is already logged in centrally and do a user merge.

Or we can just ignore the problem and accept that some fraction of temp users will have multiple identities (a fairly large fraction, given the impending Chrome third-party cookie deprecation).

kostajh subscribed.Jan 31 2024, 6:55 AM
pmiazga moved this task from Inbox, needs triage to Soon on the MediaWiki-Platform-Team board.Feb 5 2024, 4:12 PM
Bugreporter moved this task from Backlog to Central session, SSO (autologin) and centralauthtoken on the MediaWiki-extensions-CentralAuth board.Mar 5 2024, 11:36 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL