I'm recently having an issue that while I'm fully logged as named account in on wikipedia.org wikis, when I go to wikinews or other second level domains, I still need to fully login (with password and 2FA) even though all still go through auth.wikimedia.org. It looks like a deeper level issue that has been introduced recently. Tagging @Tgr who might know more.

Related tickets

• T403898: Edge login does not work for temporary accounts (description indicates that login used to eventually work)
• T403899: Top-level autologin does not fully work for temporary accounts

What browser did you test in? For Firefox I think this is expected behavior. Temp user creation doesn't involve user interaction on the shared domain so there is no way to access cross-site cookies ("site" in the WHATWG sense, so second-level domain usually).

In T410151#11374848, @Ladsgroup wrote:

I'm recently having an issue that while I'm fully logged as named account in on wikipedia.org wikis, when I go to wikinews or other second level domains, I still need to fully login (with password and 2FA) even though all still go through auth.wikimedia.org.

That would be unexpected, since for named accounts the user interaction on auth.wikimedia.org does happen, so in theory the cookies are available in a cross-site context. But it's definitely possible that browser behavior changed or that we broke something. What browser are you using? Does it seem deterministic?

@Tgr I tested in Chrome. I have seen this behavior work before so I was surprised when it didn't. Even after waiting for a few minutes it did not log me in to the temp account.

Chrome in normal mode (not incognito)?

In T410151#11379582, @Tgr wrote:

Chrome in normal mode (not incognito)?

Correct, no incognito.
Tested on production and beta cluster environments.

In T410151#11379543, @Tgr wrote:

In T410151#11374848, @Ladsgroup wrote:

I'm recently having an issue that while I'm fully logged as named account in on wikipedia.org wikis, when I go to wikinews or other second level domains, I still need to fully login (with password and 2FA) even though all still go through auth.wikimedia.org.

That would be unexpected, since for named accounts the user interaction on auth.wikimedia.org does happen, so in theory the cookies are available in a cross-site context. But it's definitely possible that browser behavior changed or that we broke something. What browser are you using? Does it seem deterministic?

Mine was Firefox

I tested this just now on Edge 142, and the temporary account persisted. I got a popup saying I was centrally logged in:

(which is weird wording, but okay)

and after refreshing the page I was indeed "logged in" as the temporary account.

So the way we do it still works, in principle, but it depends on the browser behavior regarding third-party cookies. I picked Edge for this test because AFAIK it doesn't attempt any of the privacy mitigations that Firefox and Chrome are trying.

If the browser doesn't permit us to read cookies from subresources on auth.wikimedia.org while visiting en.wikisource.org, the mechanism won't work, and we'd need to do something much more invasive to share the data between the domains.

In T410151#11374848, @Ladsgroup wrote:

I'm recently having an issue that while I'm fully logged as named account in on wikipedia.org wikis, when I go to wikinews or other second level domains, I still need to fully login (with password and 2FA) even though all still go through auth.wikimedia.org. It looks like a deeper level issue that has been introduced recently. Tagging @Tgr who might know more.

This sounds like T406589: After authenticating on a content wiki, sometimes have to re-authenticate on authwiki