Page MenuHomePhabricator
Create Task
Maniphest T390830

Cookie warning, errors and new SUL3
Closed, InvalidPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:
My log is littered with hundreds of warnings and errors. Seriously there are more then 200 bad cookies set. I thought SUL3 was supposed to fix this. It doesn't seem like it did.

There are hundreds of calls to set cookies like:

And seeing incubator.wikimedia is just weird. I don't know if I've been on that site this year. I have 0 edits on that site.

What should have happened instead?:
Well this is not how normal SSO (single sign-on) works. Could you imagine visiting accounts.google and pinging a thousand websites which happen to use Google Authentication? I'm sorry, but auth.wiki SSO implementation just seems absurd to me.

How does standard SSO work:

  1. You visit a website.
  2. You are prompted to log in or redirected to login to SSO site (that would be auth.wiki in this case).
  3. If you were centrally logged in you are immediately redirected back.

If you really must set a cookie on each website please at least:

  1. Filter out sites to which I don't contribute. This should be relatively easy to figure out. All the data is already on: https://meta.wikimedia.org/wiki/Special:CentralAuth/Nux
  2. Set cookies on main domain:
    1. https://pl.wikisource.org/ -> .wikisource.org
    2. https://pl.wiktionary.org/ -> .wiktionary.org
    3. https://pl.wikinews.org/ ->.wikinews.org
    4. https://pl.wikibooks.org/ -> .wikibooks.org
    5. https://commons.wikimedia.org/ -> .wikimedia.org
    6. https://www.wikidata.org -> .wikidata.org

That would mean 3-10 cookies, and avoid setting up separate sessions on 150 websites. Even if under the hood there are 150 mediawiki installations you can still set a cookie saying "User Nux is authenticated on auth.wiki" and another saying "User is using skin X". That would be enough to keep the experience smooth.

A user option could be set to also say if he.she wants a quick redirect to be fully authenticated. So a visit to a more exotic site after normal login could look like this:

  1. Login on enwiki.
    1. Redirect to auth.wiki (https://auth.wikimedia.org/...)
    2. I log in.
    3. SUL setup cookies on main domains (up to 20 calls). sul3_user="Nux"; user_skin="monobook" (I'm using vector but for the sake of example...).
  2. I visit https://www.wikifunctions.org/wiki/ I see it as if visited: https://www.wikifunctions.org/w/index.php?title=Wikifunctions:Main_Page&useskin=monobook
  3. I'm immediately redirected to auth.wiki.
  4. I'm back to wikifunctions fully authenticated.

I want to stress out this is not just a nice theory. I know this works. This is almost exactly what we have at the moment for Polish and UK libraries. There are multiple host servers (separate, physical machines) and even more application servers (separate virtual machines). For those installations that have common SSO once you log in to https://mol-app0101.molnet.mol.pl/lms/ you would be immediately logged in when visiting https://mol-app0701.molnet.mol.pl/lms/... Assuming you would be a librarian of course :)

Software version: SUL3, plwiki et al

Other information (browser name/version, screenshots, etc.):
Firefox 136, Windows 11.

obraz.png (908×713 px, 117 KB)
...
obraz.png (929×715 px, 129 KB)
obraz.png (912×717 px, 140 KB)

Related Objects

Event Timeline

Nux created this task.Apr 2 2025, 9:09 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 2 2025, 9:09 AM
Nux updated the task description. (Show Details)Apr 2 2025, 9:11 AM
Johannnes89 added projects: SUL3, MediaWiki-Platform-Team.Apr 2 2025, 9:31 AM
Tgr subscribed.Apr 2 2025, 12:05 PM

The SameSite errors are not authentication related. The partitioning warnings are IMO fine, there is still value in those cookies as long as Chrome doesn't partition/block them (that's like 80% of the userbase).

There are hundreds of calls to set cookies like:
https://meta.wikimedia.org/wiki/Special:CentralAutoLogin/setCookies?type=1x1&from=plwiki&usesul3=1
https://species.wikimedia.org/wiki/Special:CentralAutoLogin/setCookies?type=1x1&from=plwiki&usesul3=1
https://incubator.wikimedia.org/wiki/Special:CentralAutoLogin/setCookies?type=1x1&from=plwiki&usesul3=1

18 x 5 calls to be exact, it's a five-step redirect for every domain in $wgCentralAuthAutoLoginWikis.

That's edge login, done since 2010 or so. The user impact is that you will be logged in when you visit any other wiki, rather than not being logged in and then getting a popup that you have been logged in in the background and please reload. Once could certainly argue the tradeoff is not worth it (although "it clutters my developer console" is not a very strong argument, specifically).

Filter out sites to which I don't contribute.

When you visit a site you haven't contributed to before, your account is automatically autocreated and you are logged in already on the first pageview. That requires session cookies.

Again, one could argue it shouldn't be done that way, it has been done that way since 2010.

Set cookies on main domain:
https://pl.wikisource.org/ -> .wikisource.org
https://pl.wiktionary.org/ -> .wiktionary.org
https://pl.wikinews.org/ ->.wikinews.org
https://pl.wikibooks.org/ -> .wikibooks.org
https://commons.wikimedia.org/ -> .wikimedia.org
https://www.wikidata.org -> .wikidata.org
That would mean 3-10 cookies, and avoid setting up separate sessions on 150 websites.

This is pretty much what happens. I'm not sure where you got the idea that 150 websites are involved.

It does mean a lot of cookies anyway because there's something like 7 cookies per session.

I visit https://www.wikifunctions.org/wiki/ I see it as if visited: https://www.wikifunctions.org/w/index.php?title=Wikifunctions:Main_Page&useskin=monobook
I'm immediately redirected to auth.wiki.
I'm back to wikifunctions fully authenticated.

This is how a number of other websites deal with SSO. Those are typically websites which can easily differentiate between the URLs that are only useful after authentication, and the ones where authentication doesn't matter. Wikipedia is not like that. Most URLs are content, but what you can do with that content and how it looks depends very much on whether you are authenticated. Which means it's hard to decide whether there should be an SSO redirect. Unwanted redirects are bad, e.g. because they don't preserve the URL fragment.

Nux added a comment.EditedApr 2 2025, 12:32 PM

That would mean 3-10 cookies, and avoid setting up separate sessions on 150 websites.

This is pretty much what happens. I'm not sure where you got the idea that 150 websites are involved.

That's not what happens. I see many calls loading fake 1x1 png image. For example en.wikivoyage:

https://en.wikivoyage.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=plwiki&usesul3=1

And I don't even use en.wikivoyage ;). There were 86 requests even when I just visited pl.wikipedia.org. There are separate calls to en.something and pl.something. I didn't debug this, but this definitely doesn't look like 3-10 websites to me. So no, it doesn’t work the way I described as an expected result.

It also seems SUL3 just lost my session even on my home wiki and just after 3 hours. I had to manually refresh the page which is just annoying. I hope this part at least is some temporary caching/proxy problem or something like that. Because this is actually worse then before SUL3.

matmarex added a project: MediaWiki-extensions-CentralAuth.Apr 2 2025, 4:08 PM
Tgr closed this task as Invalid.Apr 2 2025, 4:12 PM
In T390830#10703440, @Nux wrote:

I didn't debug this, but this definitely doesn't look like 3-10 websites to me.

Well I did debug it, extensively, many times. So I don't see much point in a discussion where you make claims about it but are uninterested in actually testing them.

It also seems SUL3 just lost my session even on my home wiki and just after 3 hours. I had to manually refresh the page which is just annoying.

Unfortunately that's another area where there is not much point discussing it unless you are willing to get your hands dirty and debug. Session losses do happen fairly regularly, but the potential reasons are very diverse, it's not really possible to log the relevant events, and so it's usually impossible to identify the cause without quite detailed information about exactly what cookies are written in what requests.

matmarex subscribed.Apr 2 2025, 4:22 PM
In T390830#10703440, @Nux wrote:

That would mean 3-10 cookies, and avoid setting up separate sessions on 150 websites.

This is pretty much what happens. I'm not sure where you got the idea that 150 websites are involved.

That's not what happens. I see many calls loading fake 1x1 png image. For example en.wikivoyage:

https://en.wikivoyage.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=plwiki&usesul3=1

And I don't even use en.wikivoyage ;). There were 86 requests even when I just visited pl.wikipedia.org. There are separate calls to en.something and pl.something. I didn't debug this, but this definitely doesn't look like 3-10 websites to me. So no, it doesn’t work the way I described as an expected result.

There are 18 wikis on the list, which is a lot, but not 150. Each one of them starts a chain of up to 5 requests where each one redirects to the next step, which explains why you're seeing ~86 requests.

For the wikis with multiple language editions, the cookie are set for top-level domains (e.g. wikipedia.org, not en.wikipedia.org), which causes you to be logged in in all languages. Using e.g. enwiki in that list is just an arbitrary choice.

The only way to avoid these warnings would be to remove the "edge login" feature, which would indeed make our system more like a standard SSO auth. Personally I kind of wish that we'd do that (since it's complex, and it will no longer work once all browsers block third-party cookies), but for a very long time, we have promised things like "Special:UserLogin now logs the user in to every unified wiki simultaneously" (quote from https://meta.wikimedia.org/wiki/Help:Unified_login), so such a change may be a surprise to users, and we don't want to make it lightly.

Novem_Linguae subscribed.Apr 4 2025, 1:22 PM
matmarex added a comment.Apr 7 2025, 8:31 PM
In T390830#10704848, @matmarex wrote:

The only way to avoid these warnings would be to remove the "edge login" feature, which would indeed make our system more like a standard SSO auth. Personally I kind of wish that we'd do that (since it's complex, and it will no longer work once all browsers block third-party cookies), but for a very long time, we have promised things like "Special:UserLogin now logs the user in to every unified wiki simultaneously" (quote from https://meta.wikimedia.org/wiki/Help:Unified_login), so such a change may be a surprise to users, and we don't want to make it lightly.

I filed T391288: Consider removing edge login and subresource autologin in the future for future discussions about this. We are very much not planning to do it now or soon, though.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits