Page MenuHomePhabricator
Create Task
Maniphest T372703

Set central session ID on the local wiki during SUL3 login
Open, Needs TriagePublic
Actions

Description

Currently when logging in to multiple wikis via central login / autologin, all wikis will end up with the same central session (they will have the same centralauth_Session cookie value, and so the CentralAuth session provider will fetch the same data hash in the central session store when verifying a request). With the current implementation of SUL3, this is not the case - the local wiki and the shared login domain will end up with different central session IDs.

I'm not sure if this has any effect in practice (we don't store random data in the central session like we do in the local one, and logout relies on the central user token). Still, it would be nice to fix.

Central login and autologin send the central session ID via the token store and then set it manually (via the $reset argument of CentralAuthSessionManager::setCentralSession()). In SUL3, we can send the ID the same way but (as opposed to central login / autologin which do it manually) the local session will be updated by AuthManager, so it's less obvious where and how to inject the session ID:

  • We can do it after login (e.g. in the postAuthentication() auth provider callback), but by then a new central session has already been created and so that will be left behind. (Not a big deal, but again, nicer if we don't do it.)
  • We can store the central session ID as soon as we receive it (before the user actually gets logged in), as it's stored in the local session as normal data, and we can do that even for unattached sessions, but then we'd have to be really sure that won't go wrong somehow if another login provider interrupts login and the user does not get logged in, and then the local session is reused.
  • We could add a new hook point (eww).
  • We could delay saving the session until postAuthentication() has run so one can freely mess with it (this came up for T369668: Figure out how to handle "remember me" flag in SUL3 login flow but in the end we chose a different approach). That would probably make the system a little less robust (an error in one of the callbacks would mean session cookies don't get written), although amost nothing uses post-authentication callbacks so realistically it wouldn't matter much.

Related Objects
Search...

Event Timeline

Tgr created this task.Aug 17 2024, 1:07 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptAug 17 2024, 1:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a parent task: T369467: SUL3: Consider adding interstitial when the user is already logged in centrally.Aug 17 2024, 1:07 PM
Tgr moved this task from Backlog to Ready on the SUL3 board.
Tgr edited parent tasks, added: T363699: Determine and implement SUL 3 login handshake mechanism; removed: T369467: SUL3: Consider adding interstitial when the user is already logged in centrally.
Krinkle moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Aug 19 2024, 2:27 PM
Tgr moved this task from Ready to Later on the SUL3 board.Sep 2 2024, 11:22 AM
Tgr added a comment.Apr 8 2025, 2:26 PM

Possibly the cause of T391358: SUL3 login broken when the local wiki and the central domain are in the same $wgCentralAuthCookieDomain set.

Tgr mentioned this in T391356: Handle errors during Special:UserLogin/return better.Apr 8 2025, 2:26 PM
Tgr mentioned this in T391358: SUL3 login broken when the local wiki and the central domain are in the same $wgCentralAuthCookieDomain set.Apr 14 2025, 7:35 PM
Eevans added a parent task: Restricted Task.May 2 2025, 9:17 PM
Eevans removed a parent task: Restricted Task.May 13 2025, 4:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits