Page MenuHomePhabricator
Create Task
Maniphest T373409

Visiting Special:PluggableAuthLogin without a `_session` cookie should generate one
Closed, ResolvedPublicBUG REPORT
Actions

Description

MW: 1.41.1
PluggableAuth: 7.1.0 (4111a57)
OpenIDConnect: 8.0.2 (3a3fca9)
jumbojett/openid-connect-php; 1.0.0

Steps to replicate the issue:

  1. Visit a wiki that restricts read access to logged in users. The wiki should be configured to with automatic login and be set up to use only one authentication method (e.g. OpenIDConnect) to view it.
  2. Log in and verify your access to the wiki.
  3. Close the browser with Alt-f x.
  4. Open the browser.
  5. Press Ctrl-Shift-T to open the previously closed browser.
  6. See error: Fatal error authenticating user.

Set $wgRememberMe = "always";

Verify that the above steps do not result in the same error.

Repeat the same steps with this additional one after step 2:

  1. ... b) Clear your cookies for the site.

Verify that you now see error again.

Before closing Chrome, I verified the URL was not on the Special:PluggableAuthLogin page (where the error occurs). Most recently, it was on Special:Version and I verified that Ctrl-Shift-T brought up Special:Version initially.

The PluggableAuthLogin url contained ?code=XXXX...&iss=XXXX...&state=XXXX...&client_id=XXXX.... Clicking the logo on the sidebar (to visit Main_Page or the equivalent) was successful

Starting chrome with devtools (possible with chrome's --auto-open-devtools-for-tabs cli option) shows that the initial request (may) be missing the session cookie. In fact, visiting the site "normally" after clearing cookies and starting the browser--that is, typing the url into the browser--seems to bring up the site properly, but also populates the session cookie.

Examination of the requests shows that it goes to Special:PluggableAuthLogin without visiting Special:UserLogin where the session cookie is set.

I'm a bit confused about why the first request is to Special:PluggableAuthLogin when restoring the tab. I would think it would be to the url on the page when the browser closed. But, in any case, it looks like a visit to Special:PluggableAuthLogin without a session cookie should result in a visit to Special:UserLogin to get the session cookie (or some other method to generate the session cookie).

Details

SubjectRepoBranchLines +/-
Redirect to login page with an error message if no returnToUrl is foundmediawiki/extensions/PluggableAuthREL1_43+25 -10
Redirect to login page with an error message if no returnToUrl is foundmediawiki/extensions/PluggableAuthREL1_39+25 -10
Redirect to login page with an error message if no returnToUrl is foundmediawiki/extensions/PluggableAuthmaster+25 -10
Customize query in gerrit

Related Objects

Event Timeline

MarkAHershberger created this task.Aug 27 2024, 12:20 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 27 2024, 12:20 AM
MarkAHershberger added a comment.EditedAug 27 2024, 12:34 AM

Hmm... Looking more closely, it looks like Chrome is caching the redirect it gets from Special:PluggableAuthLogin since the initial request to the URL shows 302 Found (from disk cache) in the browser's dev tools.

Aklapper renamed this task from Visiting Special:PluggableAuthLogin without a `_sesssion` cookie should generate one. to Visiting Special:PluggableAuthLogin without a `_session` cookie should generate one.Aug 27 2024, 9:29 AM
MarkAHershberger mentioned this in T373451: Special:PluggableAuthLogin should use 307 redirect.Aug 27 2024, 3:45 PM
MarkAHershberger updated the task description. (Show Details)Aug 28 2024, 1:24 PM
MarkAHershberger added a comment.EditedAug 29 2024, 4:11 AM

The redirect code was a red herring.

The problem here is that we've identified a case where the returntourl can be null without blaming the authentication plugin.

It is rare, but it will happen if the user somehow loses their cookies on a wiki. This can be mitigated with $wgRememberMe = "always"; but my user reported it after we set $wgRememberMe = "always"; (though, I suppose it is possible that the problem came with an overlap of cookies without the effects of $wgRememberMe and the expiration of the user's cookies).

In my tests hard-coding a redirect to Special:UserLogin when the user didn't have a return URL solved the problem. This is the right solution on my SSO-protected wiki, but, on a wiki without login-required-to-read, the right solution might be keeping the message or redirecting to the Main_Page.

gerritbot added a comment.Aug 30 2024, 10:28 PM

Change #1069300 had a related patch set uploaded (by MarkAHershberger; author: MarkAHershberger):

[mediawiki/extensions/PluggableAuth@master] Redirect to main page if no returnToUrl is found

https://gerrit.wikimedia.org/r/1069300

gerritbot added a project: Patch-For-Review.Aug 30 2024, 10:28 PM
MarkAHershberger updated the task description. (Show Details)Jan 12 2025, 7:16 PM
MarkAHershberger updated the task description. (Show Details)Jan 12 2025, 8:12 PM
gerritbot added a comment.Jan 14 2025, 3:22 PM

Change #1069300 merged by jenkins-bot:

[mediawiki/extensions/PluggableAuth@master] Redirect to login page with an error message if no returnToUrl is found

https://gerrit.wikimedia.org/r/1069300

Maintenance_bot removed a project: Patch-For-Review.Jan 14 2025, 3:31 PM
gerritbot added a comment.Jan 14 2025, 4:20 PM

Change #1111274 had a related patch set uploaded (by Cicalese; author: MarkAHershberger):

[mediawiki/extensions/PluggableAuth@REL1_39] Redirect to login page with an error message if no returnToUrl is found

https://gerrit.wikimedia.org/r/1111274

gerritbot added a project: Patch-For-Review.Jan 14 2025, 4:20 PM
gerritbot added a comment.Jan 14 2025, 4:24 PM

Change #1111275 had a related patch set uploaded (by Cicalese; author: MarkAHershberger):

[mediawiki/extensions/PluggableAuth@REL1_43] Redirect to login page with an error message if no returnToUrl is found

https://gerrit.wikimedia.org/r/1111275

gerritbot added a comment.Jan 14 2025, 4:29 PM

Change #1111274 merged by jenkins-bot:

[mediawiki/extensions/PluggableAuth@REL1_39] Redirect to login page with an error message if no returnToUrl is found

https://gerrit.wikimedia.org/r/1111274

gerritbot added a comment.Jan 14 2025, 4:29 PM

Change #1111275 merged by jenkins-bot:

[mediawiki/extensions/PluggableAuth@REL1_43] Redirect to login page with an error message if no returnToUrl is found

https://gerrit.wikimedia.org/r/1111275

Maintenance_bot removed a project: Patch-For-Review.Jan 14 2025, 4:30 PM
cicalese closed this task as Resolved.Jan 24 2025, 7:26 PM
cicalese claimed this task.
cicalese moved this task from Backlog to Closed on the MediaWiki-extensions-OpenID-Connect board.
cicalese moved this task from Backlog to Closed on the MediaWiki-extensions-Pluggable-Auth board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits