centralauth_Token cookie not set on top-level autologin
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	matmarex
	Nov 7 2024, 1:27 PM

Project Tags

Referenced Files

None

Subscribers

Description

Not sure if it's a bug, but I seem to have gotten my login session into a weird state.

A long while ago, I logged in with the "Keep me logged in" option checked. Today, on https://login.wikimedia.org/, I still have the centralauth_Token cookie set. However, if I visit any other wiki where I'm not logged in, e.g. https://en.wikipedia.org/, and click "Log in" (which logs me in automatically without typing the password, using top-level autologin), the centralauth_Token cookie is not set, only centralauth_Session is. This means that I have to perform the top-level autologin basically every day.

I can't reproduce this if I log into another account in a private window or another browser.

The centralauth_Token cookie is definitely valid. If I copy it manually into a private browser window, alongside with centralauth_User, I become logged in.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Set 'remember' central session object field when recreating	mediawiki/extensions/CentralAuth	REL1_43	+3 -0
Set 'remember' central session object field when recreating	mediawiki/extensions/CentralAuth	REL1_42	+3 -0
Set 'remember' central session object field when recreating	mediawiki/extensions/CentralAuth	wmf/1.44.0-wmf.4	+3 -0
Set 'remember' central session object field when recreating	mediawiki/extensions/CentralAuth	master	+3 -0

Customize query in gerrit

Related Objects

Mentioned In: T391646: Analyze "temporary logging for T372702" data and then stop logging it
T372165: Reduce number of bucketsizes for MediaViewer
T372702: editors are repeatedly getting logged out (August 2024)
Mentioned Here: T372165: Reduce number of bucketsizes for MediaViewer
T372702: editors are repeatedly getting logged out (August 2024)
T377561: "Keep me logged in" flag unreliable on the central domain

Event Timeline

matmarex created this task.Nov 7 2024, 1:27 PM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptNov 7 2024, 1:27 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

I've poked at this a little bit locally but I can't seem to reproduce this. Below is what I tried:

Have a list of wikis in my $wgCentralAuthAutoLoginWikis
Visit a local wiki for my case and login (setting "remember me")
Check that I've been automatically in the local wiki and all the wikis in $wgCentralAuthAutoLoginWikis
See that centralauth_Token cookie is set for all the wikis in autologin wikis
Intentionally visit a wiki that is not in the list of autologin wikis, and yes I'm not logged-in (expected)
Click on "Login" link and I'm automatically logged (top-level autologin) and I checked the cookies and sure, the centralauth_Token was set for this wiki too (note, it wasn't in the list of autologin wikis).

One thing about my local setup is that all the wikis are on the same parent domain and if my local login is successful, . You said A long while ago, I logged in with the "Keep me logged in" option checked. Do you remember if the wiki you logged into had a centralauth_Token cookie set for enwiki for example or any of the .wikipedia.org parent domain?

I don't know why the "remember me" flag isn't inherited and applied in the case mentioned above. Sounds like a bug to me but not sure what's happening to that session ID.

Locally, I also checked the session entry after logging in with remember me, I see something like:

> $sb->get( 'global:session:centralauth:<centralauth_Session>' );
= [
    "remember" => true,
    "sessionId" => "<centralauth_Session>",
    "expiry" => 1731160067,
    "user" => "Admin",
    "token" => "<token>",
  ]
>

Notice how remember is set to true for that centralauth session ID? It should be inherited and applied to your local session during top-level autologin. Also, this might not be reproducible in Google Chrome. I'll try Firefox.

Seems like task T377561: "Keep me logged in" flag unreliable on the central domain is related to this task. @Tgr the linked task related to this one. Could it be that Matmarex is experiencing this issue now, because I suspect so.

I'm currently looking at: https://gerrit.wikimedia.org/g/mediawiki/extensions/CentralAuth/+/44e8bab2f7501bfc415c751bf264ed08e66ca4ce/includes/Special/SpecialCentralAutoLogin.php#266 which is where we make an attempt to copy the "remember me" state from the central session over to the local session.

In T379254#10303960, @DAlangi_WMF wrote:

Seems like task T377561: "Keep me logged in" flag unreliable on the central domain is related to this task.

That task is the opposite: centralauth_Token doesn't get set on loginwiki.

I'm currently looking at: https://gerrit.wikimedia.org/g/mediawiki/extensions/CentralAuth/+/44e8bab2f7501bfc415c751bf264ed08e66ca4ce/includes/Special/SpecialCentralAutoLogin.php#266 which is where we make an attempt to copy the "remember me" state from the central session over to the local session.

We know that logic worked (back when Bartosz logged in) since he has a valid centralauth_Token cookie on loginwiki. The local cookie is set (during autologin at least) in the setCookies branch, which takes the remember flag from here.

In T379254#10303845, @DAlangi_WMF wrote:

Notice how remember is set to true for that centralauth session ID? It should be inherited and applied to your local session during top-level autologin.

Yeah my guess would be that you ended up with a central session object which has remember set to false. (Why do we even have that flag, rather than using the actual "remembered" state from loginwiki? Not sure, TBH.)

• larissagaulia moved this task from Inbox, needs triage to Within 2 Qs on the MediaWiki-Platform-Team board.Nov 19 2024, 4:21 PM

In T379254#10306793, @Tgr wrote:

Yeah my guess would be that you ended up with a central session object which has remember set to false.

We checked it and that's indeed the case.

I have a theory of what's happening:

You start in a consistent state (centralauth_Token cookie on local and central domain, remember => true in central session store).
Both the central session and the local session for the central domain expires (either the cookie or the object). It's not meant to be very long-lived, a browser restart or 24 hours of inactivity would do it for the central session, the local session is even more short-lived than that.
On your next central autologin attempt, SessionManager creates a SessionInfo from the centralauth_Token cookie. That will be a valid logged-in SessionInfo with the remember flag set, but since the local session expired, it won't have a session ID. That will cause SessionManager to create a new local session and persist.
CentralAuthSessionProvider::persistSession() will create a new central session object if there isn't one, and that won't have its remember field set.
The /validateSession autologin step will look up the remember field of the central session data, pass it to the /setCookies step, and that will be used to determine whether the local session should be remembered.

So the two potential things to fix (either one is enough):

persistSession() should, when creating a new central session, initialize the remember field based on whether the session is remembered
/validateSession should maybe use the session's remember flag instead of the central session data (at which point, not sure if we even need that field in the central session data anymore)

In T379254#10337149, @Tgr wrote:

Both the central session and the local session for the central domain expires

Actually, it might even be enough for just the local session on the central domain to expire. That would still mean no session ID -> re-persisting, and CentralAuthSessionProvider::provideSessionInfo() uses the centralauth_Session cookie to look up the central session object, CentralAuthSessionProvider::persistSession() doesn't - it relies on the central session ID stored in the local session. That's probably also something we should fix.

Change #1092941 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1092941

gerritbot added a project: Patch-For-Review.Nov 19 2024, 10:41 PM

• DAlangi_WMF changed the task status from Open to In Progress.Nov 20 2024, 1:05 PM

• DAlangi_WMF assigned this task to Tgr.

• DAlangi_WMF moved this task from Within 2 Qs to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.

Change #1092941 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1092941

@matmarex, I confirm that @Tgr's patch fixes this issue from my local testing. I'm pretty sure this should not happen again, hence we can resolve this.

Maintenance_bot removed a project: Patch-For-Review.Nov 20 2024, 1:30 PM

Change #1093961 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.4] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1093961

gerritbot added a project: Patch-For-Review.Nov 21 2024, 5:27 PM

Change #1093961 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.4] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1093961

Maintenance_bot removed a project: Patch-For-Review.Nov 21 2024, 9:30 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-21T21:38:58Z] <brennen@deploy2002> Started scap sync-world: Backport for [[gerrit:1079640|Reduce number of bucketsizes for MediaViewer (group0) (T372165)]], [[gerrit:1093961|Set 'remember' central session object field when recreating (T379254 T372702)]], [[gerrit:1093962|Use cookie to access central session when local session expired]]

Stashbot mentioned this in T372702: editors are repeatedly getting logged out (August 2024).Nov 21 2024, 9:39 PM

Stashbot mentioned this in T372165: Reduce number of bucketsizes for MediaViewer.

Mentioned in SAL (#wikimedia-operations) [2024-11-21T21:42:48Z] <brennen@deploy2002> brennen, tgr, simon04: Backport for [[gerrit:1079640|Reduce number of bucketsizes for MediaViewer (group0) (T372165)]], [[gerrit:1093961|Set 'remember' central session object field when recreating (T379254 T372702)]], [[gerrit:1093962|Use cookie to access central session when local session expired]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Change #1101160 had a related patch set uploaded (by Paladox; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@REL1_43] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1101160

Change #1101161 had a related patch set uploaded (by Paladox; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@REL1_42] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1101161

Change #1101161 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_42] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1101161

Change #1101160 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_43] Set 'remember' central session object field when recreating

https://gerrit.wikimedia.org/r/1101160

Maintenance_bot removed a project: Patch-For-Review.Dec 7 2024, 8:30 PM

TheDJ subscribed.Mar 7 2025, 7:34 PM

This comment was removed by TheDJ.

Tgr mentioned this in T391646: Analyze "temporary logging for T372702" data and then stop logging it.Apr 20 2025, 4:09 PM

centralauth_Token cookie not set on top-level autologinClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

centralauth_Token cookie not set on top-level autologin
Closed, ResolvedPublic
Actions