Page MenuHomePhabricator
Create Task
Maniphest T369467

SUL3: Consider adding interstitial when the user is already logged in centrally
Open, Needs TriagePublic
Actions

Description

For SUL3 (T348388: SUL3: Use a dedicated domain for login and account creation) we want to ensure that access to the central session cookies is preceded by user interaction. When the user is not centrally logged in, that means we render the log in form on the central domain (which counts as a user interaction, as required by browsers to reliably store cookies on the central domains).

When the user is already centrally logged in, we currently redirect straight back to the local wiki and log the user in there. This is great for user experience, but browsers might penalize the cookie retention if there is no interaction there like there is on log-in. This task is to determine whether it is realible or not.

Otherwise, we might need to create an interestitial there with some trivial user interaction, such as clicking a button. (Other websites usually show a mini profile with some sort of "You are logged in as XX, continue / switch account" choice.)

Implementation
This can't be put in the authentication provider since the authentication provider is not invoked when the user is already logged in. We'll probably have to create a special page for it, and make the redirect flow either home wiki -> loginwiki:Special:LoginInterstitial?returnurl=... with the special page requiring login (and thus naturally redirecting to the login page), or home wiki -> loginwiki:Special:Userlogin?returnto=Special:LoginInterstitial&returnurl=....

Not sure what to do about API login/signup. I guess we can just ignore that because we couldn't guarantee user interaction there anyway.

Related Objects
Search...

Event Timeline

Tgr created this task.Jul 7 2024, 7:12 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJul 7 2024, 7:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a parent task: T362713: Implement the new login process which redirects to the central login wiki for showing the login/signup form.Jul 7 2024, 7:12 PM
larissagaulia moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Jul 30 2024, 2:40 PM
Tgr added a comment.Jul 31 2024, 11:02 PM

This should probably be done as part of T363699: Determine and implement SUL 3 login handshake mechanism, since when the user is already logged in we'll have to put the handshake logic in the interstitial page.

Tgr added a parent task: T363699: Determine and implement SUL 3 login handshake mechanism.Jul 31 2024, 11:02 PM
Tgr moved this task from Backlog to Blocked / External on the SUL3 board.
Tgr added a subtask: T372703: Set central session ID on the local wiki during SUL3 login.Aug 17 2024, 1:07 PM
Tgr removed a subtask: T372703: Set central session ID on the local wiki during SUL3 login.
Krinkle renamed this task from SUL3: show an interstitial when the user is already logged in centrally to SUL3: Consider adding interstitial when the user is already logged in centrally.Aug 26 2024, 2:28 PM
Krinkle updated the task description. (Show Details)
Krinkle subscribed.EditedAug 26 2024, 2:32 PM

@Tgr I've updated the description based on the meeting today. If added as-is, it would redirect straight back when already centrally logged-in. Is that correct? Or would we also need to create a new special page for a redirect without interaction? I'm assuming that the login url that local wikis point to would invoke at least some portion of the auth code, but I'm guessing that the portion it invokes isn't extendible via AuthManager, so it just redirects back to the canonical domain based on the returnto article when already logged-in. Right?

Tgr added a comment.Aug 26 2024, 5:12 PM
In T369467#10092251, @Krinkle wrote:

I added as-is, it would redirect straight back when already centrally logged-in. Is that correct?

Yes, Special:Userlogin immediately redirects when the user is logged in and returnto is set (a feature added to make the situation less inconvenient when the user has many tabs open, the session expires, and all the tabs redirect to the login page), so we set a fake returnto, and when already logged in (and also at the end of login) that triggers the PostLoginRedirect hook, which is were the shared-domain part of the SUL3 logic lives.

Tgr moved this task from Blocked / External to Later on the SUL3 board.Sep 2 2024, 11:25 AM
Tgr mentioned this in T391288: Consider removing edge login and subresource autologin in the future.Apr 7 2025, 8:50 PM
matmarex subscribed.Apr 7 2025, 11:27 PM
matmarex mentioned this in T405054: Improve SUL3 Special:UserLogin and Special:CreateAccount interactions when already logged in or partially logged in.Sep 19 2025, 2:38 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits