Page MenuHomePhabricator
Create Task
Maniphest T356614

Do not do central login after security reauthentication
Open, Needs TriagePublic
Actions

Description

When an already logged-in user is accessing a page requiring elevated security (e.g. Special:BotPasswords), we require them to log in again. This is handled as a normal login, so when the primary authentication provider is CentralAuth, it is followed by a central login. Since the user is already logged in, this is pointless.

To complicate things, after T348388: Use central login wiki for login (SUL3) we will have to do some sort of central-ish login since we want to do all login centrally. But even then we don't need to go through the whole session negotiation process / redirect chain, just go through the login process on the central wiki and verify that it succeeded.

See also:
T208823: Support asynchronous reauthentication
T208668: Do not ask for password on reauthentication when 2FA is enabled

Related Objects
Search...

Event Timeline

Tgr created this task.Feb 5 2024, 4:50 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptFeb 5 2024, 4:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Bugreporter subscribed.Feb 5 2024, 9:41 AM

Since the user is already logged in, this is pointless.

I am not sure it is true. If the user does not interacts with loginwiki in some way, The global (loginwiki) session may be expired earlier than local wiki session (imagine you have been visiting Wikipedia for a week but does not interact with loginwiki in any way, then the browser may expire your loginwiki session though keeping the Wikipedia session). So in this case doing central login would be useful.

Note this circumstance may already happen currently - we may want to measure how many logged-in user does not currently have a valid global session.

pmiazga moved this task from Inbox, needs triage to Backlog: non-prioritized on the MediaWiki-Platform-Team board.Feb 5 2024, 4:05 PM
Tgr added a parent task: T348388: Use central login wiki for login (SUL3).Feb 5 2024, 4:24 PM

This is a good reminder that we will have to think about how security reauthentication will work (whether or not we want to change this specific aspect) when we work on T348388: Use central login wiki for login (SUL3).

Bugreporter moved this task from Backlog to Central session, SSO (autologin) and centralauthtoken on the MediaWiki-extensions-CentralAuth board.Mar 5 2024, 11:36 AM
Tgr added a comment.Tue, Apr 16, 3:04 PM
In T356614#9512394, @Bugreporter wrote:

If the user does not interacts with loginwiki in some way, The global (loginwiki) session may be expired earlier than local wiki session (imagine you have been visiting Wikipedia for a week but does not interact with loginwiki in any way, then the browser may expire your loginwiki session though keeping the Wikipedia session). So in this case doing central login would be useful.

For users who check "keep logged in", both the central and the local session lasts for a year. Having to log in once a year is fine. Users who don't check the checkbox are on their own (IIRC their central session expires after a day). In any case reauthentication is too rare and erratic to be worth thinking of as a session keepalive mechanism.

ArielGlenn subscribed.Tue, Apr 16, 9:26 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL