CentralAuth relies on a central session (a MediaWiki session on a predefined domain, like login.wikimedia.org) for looking up the user's identity on any given wiki. This requires a handshake: the browser, the server when accessed via the central session domain, and the server when accessed via the local wiki domain need to exchange information with each other in a way that allows the server to verify that the user talking to it through the login domain and the user talking to it through the local domain are the same.

(TODO add description and dialog of how central login / central autologin works now; for now see here.)

T348388: Use central login wiki for login (SUL3) will change the login process - credential verification will happen on the central domain, not the local domain, so instead of communicating the fact of a successful login from the local domain to the central domain, we will need to do it in the opposite direction. We need to come up with an exact algorithm for this. This is the most security-sensitive part of CentralAuth and will require careful auditing.