Page MenuHomePhabricator
Create Task
Maniphest T391288

Consider removing edge login and subresource autologin in the future
Open, Needs TriagePublic
Actions

Description

(this is a placeholder for discussion in far future)

CentralAuth's edge login and subresource autologin are two of the mechanisms it uses to try to log you into all of the wikis when you log in just once. They do not work in browsers that block third-party cookies, and the user experience of being automatically logged in is unlike any other SSO system I've ever seen, and probably unlike the SSO systems our users are familiar with.

For these reasons I wish that we would remove them at some point after third-party cookie blocking becomes common.

However, we have promised things like "Special:UserLogin now logs the user in to every unified wiki simultaneously" for a very long time, so this isn't a decision we can make lightly, and it would come as a surprise to users whose browsers continue to allow third-party cookies (or who allow them themselves).

It would be a lot of effort to document the trade-offs, so I'm not going to do that right now, but it should be done one day.

Related Objects

Event Timeline

matmarex created this task.Apr 7 2025, 8:28 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptApr 7 2025, 8:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
matmarex moved this task from Inbox, needs triage to Not planned (Patches welcome!) on the MediaWiki-Platform-Team board.Apr 7 2025, 8:28 PM
matmarex mentioned this in T390830: Cookie warning, errors and new SUL3.Apr 7 2025, 8:31 PM
Novem_Linguae subscribed.Apr 7 2025, 8:35 PM
Tgr subscribed.Apr 7 2025, 8:43 PM
Tgr added a comment.Apr 7 2025, 8:50 PM

They do not work in browsers that block third-party cookies

I don't think this is entirely true. The idea behind SUL3 is to ensure there is user interaction on the central domain, which whitelists that domain for third-party cookie access (in theory - we haven't done much testing of this). The problem is that logins last for a long time and the effect of user interactions do not last forever, so on cookie-blocking browsers (which is currently a minority, but that might change) we'd probably need a way to repeat that interaction, even though the user does not need to log in. That would be T369467: SUL3: Consider adding interstitial when the user is already logged in centrally.

Tgr added a comment.Apr 7 2025, 9:03 PM

Without edge login and subresource autologin, account autocreation would require an intentional action from the user. That would solve some problems (see e.g. T21161: Don't autologin if local account doesn't exist (don't autocreate if user doesn't explicitly login)), at the cost of ease of use for cross-wiki work.

Pppery awarded a token.Apr 8 2025, 12:19 AM
Nemo_bis subscribed.Apr 12 2025, 7:08 AM
OWresch-WMF moved this task from Not planned (Patches welcome!) to Not planned / Patches welcome on the MediaWiki-Platform-Team board.Tue, Jan 20, 12:21 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits