I was also logged out on desktop this morning, last logged in views would have been around 03:00 UTC, first request this morning was a few minutes ago (15:25 UTC)

And again this morning. 1401 UTC is when I noticed it.

@Tgr: Can it be possible that this is not a cookie bug but any malware or virus accessing the session cookies?

And another logout, at some point between 15:19 and 18:36 UTC today 7 November.

1420 UTC this morning.

I have become logged out again between 23:00 and 9:30 UTC, but only on desktop browser, not mobile. User name: Doc_Taxon

How is it even possible that one can be logged out only on the computer, but not simultaneously on the smartphone?

I've noticed some odd behaviour lately, which may or may not be related, but I'll mention it just in case.
I normally have a persistent login to en.wikipedia.org ("Keep me logged in ...") and it generally works - if I start the browser then go to https://en.wikipedia.org/wiki/Special:Watchlist. But today, if I close my browser then click on a link to a Wikipedia page that I had saved on my desktop, or a link to a Wikipedia article in my e-mail program (Thunderbird) the browser opens on the page but appears to NOT be logged in. If I go to another random page I still appear not logged in. But if I then go to https://en.wikipedia.org/wiki/Special:Watchlist (which requires me to be logged in) I appear to be logged in again (without entering username and password).
This happens every time at the moment. I can't say how often it has been doing this, because usually I open the browser first rather than following a link to a Wikipedia page from something other than the browser (eg link on desktop, or in e-mail client) when the browser is not already running.

Environment: Firefox 115.17.0esr, Windows 7

I just logged out of Wikipedia, cleared the browser cache and cookies (using Firefox's "forget about this site" from History), logged back in - and now I can't repeat the problem any more. So maybe there was just something weird about my machine's stored cookies. But perhaps other users having the "getting logged out" problem could try the same thing (close all browser instances, click on link on Desktop, check if logged in, go to watchlist) to see if they can replicate it.

And 1513 UTC this morning.

Could I get a status update on this? I sit on the Ombuds Commission. While we have not officially taken this up as a case, we have discussed it informally since it has the potential to lead to a user's IP address being leaked. The OC is charged with monitoring infringements of the WMF privacy policy and our purview includes being able to "suggest suitable changes to policies or software", hence our interest in this particular issue.

In T372702#10143809, @kostajh wrote:

This task is a concern for Temporary accounts project, in that once a user is logged out of their temporary account, there's no way to log back into it. Is it possible to instrument how often these unexpected logouts are happening, bucketed for named and temporary accounts?

I would consider this task a blocker for deployment of temporary accounts past the minor pilot wikis unless someone can show that it doesn't affect temporary accounts for some reason. We'll get (and have started to get) enough complaints about active misuse of multiple temporary accounts without needing to make it even easier to do unintentionally.

UTC 19:00
I was working in svwiki and wikidata (Edge, Windows 10). I clicked in Wikidata on a link to https://k8s-status.toolforge.org/namespaces/tool-deltabot/. No problem. BUT, I got logged out from svwiki, but not from wikidata. I'm still logged in on my mobile.

EDIT:
I tried the same thing again. I stayed logged in. Can be a coincidence that it happend when I clicked on a link to toolforge.

@Tgr could I (politely) bug you for a status update?

1506 UTC, I just had it happen to me on the fly. I was logged in, went to respond to a comment using the "[reply]" link, and found myself logged out when I went to save my edit.

In T372702#10329040, @RoySmith wrote:

1506 UTC, I just had it happen to me on the fly. I was logged in, went to respond to a comment using the "[reply]" link, and found myself logged out when I went to save my edit.

I sometimes have Wikidata indicating that i'm logged out while saving edits, despite still being logged in. Refreshing the page works in my case.

"I sometimes have Wikidata indicating that i'm logged out while saving edits, despite still being logged in."

In this case, I was clearly logged out. When I opened another window in parallel with the first one, it showed I was logged out. When I reloaded the page in the first window, it also showed I was logged out.

I was logged out again today (17 November), at some point between 11:39 and 22:10 UTC. I was away from my computer from around 12:00 until shortly before I discovered I was logged out. I did browse Wikipedia on my phone during that time, but I was logged in there as a different user (and have not been logged out) so I don't think that is relevant.

Of note is that during October (when I started keeping records) I was getting logged out on average every 2-3 days, but today was the first time in 10 days and only the third time in November:
[for 8-23 October see comment T372702#10265491]

• 23 October between 08:14 and c. 19:45
• 26 October between 21:27 and 21:32
• 4 November between 12:36 and 13:10
• 7 November between 15:19 and 18:36
• 17 November between 11:39 and 22:10

@Tgr any chance of a status update? I see you've been working on other phab tickets, so if you're busy, could you at least acknowledge that you've seen my pings here?

And again, logged out this morning. Approx 1549 UCT, first thing in the morning.

After some weeks where I wasn't totally logged-out, and just clicking on the login button would auto-log me again, in the last two days I have been logged out totally many times, and even being logged at euwiki didn't central log me into Wikidata, where I was asked again the 2FA.

I have never encountered this bug. Is there something that editors in this thread all have in common? Skin, browser, Special:Preference, gadget, userscript, wikis edited, etc?

It has been established that it's browser independent, although not seeming to impact mobile browsers at all.
I use monobook skin, and spend most of my time on en.wp although I do frequently visit Commons, en Wiktionary and Meta. I also read WikiVoyage occasionally
I don't know how to easily share my preferences but here are my settings for gadgets, beta features and custom scripts on my four frequently used wikis:
en.wp:
Non-default gadgets:

• Navigation popups
• find-archived section
• Display pages on your watchlist that have changed since your last visit in bold
• Citation expander
• HotCat
• Add an [edit] link for the lead section of a page
• Add a "Purge" option to the top of the page, which purges the page's cache
• Allow /16, /24 and /27 – /32 CIDR ranges on Special:Contributions forms, as well as wildcard prefix searches (e.g., "Splark*") (report issues)
• Enable tracking bugs on Phabricator using the {{tracked}} template

Beta features:

• Paragraph-based edit conflict
• Discussion tools

common.css: [not edited since 2022]

• VE background colour
• Stronger colours for notifications and message igons
• Test for nowrap hatnote links,

common js: [last edited July 2024 to add Source links]

• [[User:Evad37/WikidataWatchlistLabels]]
• [[User:Enterprisey/diff-permalink.js]]
• [[User:Andy M. Wang/pageswap]]
• [[User:PrimeHunter/Source links.js]]

monobook js: [last edited 2014]

• [[User:Lupin/popups.js]]
• [[User:R3m0t/handywatch.js]]
• Interiot's javascript edit counter
• Script from [[User:ais523/editcount.js]]

meta:
Non-default gadgets:

• Contributions Range:
• Navigation popups
• WishlistTranslation:

No beta features, common.js or css

monobook.js: [last edited 2021]

• [[User:Lupin/popups.js]]

Commons:
No common.js or css

monobook.js: [last edited 2021]

• catALot

Beta features:

• Discussion tools,
• Paragraph-based edit conflict

non-default gadgets:

• popups
• Add an [edit] link for the lead section of a page.
• Pretty log
• Allow /16,/24-/32 CIDR ranges on Special:Contributions forms
• Gallery Details
• Add {{Information}}
• What Is That
• Quick Delete
• Cat-a-lot
• GLAMorous
• Geocoding To Do

en.wiktionary
no common.js
monobook.js: [last edited 2013]

• [[User:Lupin/popups.js]]

common.css: [last edited 2023]

• .serial-comma { display: inline; }

non-default gadgets:

• Navigation popups
• Add accelerated creation links for common inflections of some words.
• HotCat

beta features:

• Paragraph-based edit conflict

Change #1092941 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1092941

Change #1092941 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1092941

Now logged out from euwiki (~16:45 CET) but still logged in at Meta:

Change #1093961 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.4] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1093961

Change #1093961 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.4] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1093961

Mentioned in SAL (#wikimedia-operations) [2024-11-21T21:38:58Z] <brennen@deploy2002> Started scap sync-world: Backport for [[gerrit:1079640|Reduce number of bucketsizes for MediaViewer (group0) (T372165)]], [[gerrit:1093961|Set 'remember' central session object field when recreating (T379254 T372702)]], [[gerrit:1093962|Use cookie to access central session when local session expired]]

Mentioned in SAL (#wikimedia-operations) [2024-11-21T21:42:48Z] <brennen@deploy2002> brennen, tgr, simon04: Backport for [[gerrit:1079640|Reduce number of bucketsizes for MediaViewer (group0) (T372165)]], [[gerrit:1093961|Set 'remember' central session object field when recreating (T379254 T372702)]], [[gerrit:1093962|Use cookie to access central session when local session expired]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Sorry for the slow response! I think we finally figured out what's going on (T379254: centralauth_Token cookie not set on top-level autologin has more details) and have a presumed fix in place. I'm not entirely sure about it - the bug we have found would explain the uptick of autologins in F57600480, and would explain regular switches from logged-in to anonymous (about once a day), but I would still expect that clicking on "Login" logs you in without having to enter username and password. So maybe multiple things are broken.

Anyway please let me know if you see an improvement. It's probably not immediate and would start after your next login.

I have also been experiencing this in the last few months, being logged repeatedly out of English Wikisource, on Firefox.

This has not stopped or changed in any way since this morning.

Note: This is happening to me really, really often, at least ten times a day, every day. Writing this as it appears that it's not the same for everyone. It mainly happens when I go to another WMF wiki.

At about 21:30 UTC today (22 November) I'm simultaneously logged in on en.wp but logged out on Commons. When clicking log in on Commons I was taken to the login screen to enter my details including 2FA.
I had previously logged in to Montage to review images for Wiki Loves Monuments and followed a link to Commons from there, but I am also logged into Commons in other tabs of the same browser (I didn't think to check them before logging back in, sorry).

I just was away from my desktop for a few hours. When I came back, I was logged out on enwiki. There was a message in a box that said something like "You are logged in centrally, but you need to log in again". I know that's not the exact wording, but the message has gone away now. Meanwhile, I'm still logged in to commons, wikidata, and wikisource.

I refreshed the enwiki page (did not click the "login" link), and now I'm logged into enwiki again without ever going through a login flow.

I was logged in at 09:13 and logged out from euwiki at 09:15. Only clicking at recent changes, nothing more.

Logged out again this morning on enwiki, commons, and wikidata. Approximately 1617 UTC. Clicking the login link got me to a "enter your username and password" screen, followed by a 2FA screen.

Oddly enough, I was still logged into wikiconference.org, which I thought was part of the single-signon domain, but perhaps not?

In T372702#10351322, @RoySmith wrote:

Oddly enough, I was still logged into wikiconference.org, which I thought was part of the single-signon domain, but perhaps not?

No, it's not WMF hosted.

Last week's patch looks promising, but sounds like it may be hard to measure because it's going to kick in gradually.

Do we have a grafana we can look at to see if the issue graph has gone down since the patch?

Just got logged out unexpectedly from Wikidata, Commons, loginwiki, and Meta but not the English Wikipedia (2024-11-24 ~21:10Z) . Last edit was to Wikidata at 20:06Z. Clicking "Log in" requires creds, the CentralAuth api reports not logged in.

Top-level autologin metrics seem to be recovering:

Was logged out on mobile on non-Wikipedias this morning (13:50Z), had to log in again.

@Tgr: Wouldn't it be easier to recode the login and authentication routines or to revert to backups of the pre-August 2024 version? What is your opinion on that?

In T372702#10353445, @doctaxon wrote:

@Tgr: Wouldn't it be easier to recode the login and authentication routines or to revert to backups of the pre-August 2024 version? What is your opinion on that?

If it was caused at our side it would have been much easier to track down. I think this is more an external factor.

In T372702#10353445, @doctaxon wrote:

@Tgr: Wouldn't it be easier to recode the login and authentication routines or to revert to backups of the pre-August 2024 version? What is your opinion on that?

There are many things that might be involved in such a problem (core session handling, CentralAuth session handling, CentralAuth login / central login / autologin, session store infrastructure, possibly edge cache infrastructure), and several of those are under active development and change a lot in four months. Rewriting or mass-reverting even one of those isn't really feasible.

Just for tracking the issue: I have been logged out every day, sometimes even twice, in the last week. I don't know if the solution given is improving something, but I'm just seing the opposite.

Change #1101160 had a related patch set uploaded (by Paladox; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@REL1_43] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1101160

Change #1101161 had a related patch set uploaded (by Paladox; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@REL1_42] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1101161

Change #1101161 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_42] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1101161

Change #1101160 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_43] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1101160

Not wanting to tempt fate, but this might now be solved. I've not been logged out for over a month now (22 November was the last time) and there haven't been any recent reports here since @Theklan on 1 December.

Same here. I haven't seen any more problems since my last report on Nov 24.

looks resolved for me too

(Not solved for me, still getting logged out of enws multiple times a day. For me, nothing has changed.)

I was logged out in the morning around 9:30 AM (IST) and again at 3:30 PM (IST)

I was again logged out (3:53 PM IST)

I use Firefox. I often get seemingly logged out on Wikidata while being logged in on another wiki. Then I usually get the message that refreshing the page will log me in again (not always though).

Quite recently, I started getting "Invalid CSRF token" messages when using "mark as read" and "unwatch" buttons on https://meta.wikimedia.org/wiki/Special:GlobalWatchlist (these make a POST request to a foreign wiki). Refresh does not help, the issue usually persists throughout the session and keeps returning.

Yesterday, my Toolforge bot (uses bot passwords) started producing various messages related to sessions:

• ERROR: User assertion failed. Forcing re-login.
• ERROR: Logged in as '172.16.6.118' instead of 'MatSuBot'. Forcing re-login.

eventually crashing on an unavailable patrol token.

Note: now solved, at least for me.

@Tgr : Thank you very much indeed helping us to kill the bug! Have a good New Year!

After some weeks without being logged out, in the last two days I have been logged out randomly from Wikipedia, Commons and Wikidata, and even logging in for one of them doesn't globally log in for the others.

What’s happening to me is that I work in three lines at the same time.

• I use WD Querybuilder. No problem there. I’m logged almost forever, no need to re-log (well, I think once a month or something like that, so much time that I’m not really sure).
• I use Commons. Again, I’m logged for a very long time. I think I have to re-log when I’ve have had my computer turned off for about a day or so.
• And then, Wikidata. I go into WD from QB, from Commons or just from its Main Page. When I log in, I have my settings (Spanish language, for instance) set. But as I make some edits (not always the first one, can be the 1st, 2nd, 3rd, but not much longer) the program complains that some edit cannot be done because I’m no longer logged. It almost instantly (not always, sometimes I really have to log again) a pop-up appears saying that I’m globally logged. Then I have to options. (A) If I re-log, I get my Spanish things back… but they won’t last long; I will be unlogged in a short time. (B) I keep editing without logging; edits appearing as done by an IP while I have all explanations and stuff in English (not a great deal once you realize that Spanish 4 abr 2025 is 4 april 2025, and some other minor adjustments). Another thing i’ve notice is that in

I’ve been working like that for 5 days and my main concern is that sometimes I do have to explain things to people who do not master English at all

PROBLEM SOLVED by erasing cookies. No unlogging for 24 hours, all things seem to be working fine.