Page MenuHomePhabricator
Create Task
Maniphest T415675

Abnormal background re-logins from app since Dec 2025
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

We seem to be observing a large number of background logins from certain users with the WikipediaApp (Android) useragent.

Let's investigate the potential root cause, and either:

  • Remedy the root cause if found, or
  • Explicitly stop trying to re-login in the background after x number of attempts. (We already do this if the login fails x number of times, but in these cases it looks like the login is succeeding, but then the session becomes invalidated shortly afterwards.)

Related Objects

Event Timeline

Dbrant created this task.Jan 27 2026, 2:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 27 2026, 2:57 PM
kostajh subscribed.Jan 27 2026, 2:58 PM
JTannerWMF triaged this task as High priority.Jan 27 2026, 5:15 PM
JTannerWMF edited projects, added Wikipedia-Android-App-Backlog (Android Release - FY2025-26); removed Wikipedia-Android-App-Backlog.
JTannerWMF set the point value for this task to 1.
JTannerWMF moved this task from Incoming tasks from backlog to Ready for future sprints (P1) on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.
JTannerWMF moved this task from Ready for future sprints (P1) to Current Sprint (P0) on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.Jan 27 2026, 5:28 PM
JTannerWMF added a project: Android Sprint 2025: T.
Tgr added a project: MediaWiki-Core-AuthManager.Jan 27 2026, 10:27 PM
Tgr subscribed.

There's a big spike in login attempts with WikipediaApps/Android UA around Dec 12 and elevated levels since then, I wonder if it's related. (Of course, could just be a fake UA.)

Screenshot Capture - 2026-01-27 - 23-06-37.png (532×1 px, 77 KB)

We looked into a few examples and AuthManager was terminating the session with Metadata merge failed (usually an invalid/outdated cookie). It's happening on the next request after a successful login; AFAIK there is no easy way to connect those in Logstash and check whether this is a common pattern with all extra logins.

JWT session cookie handling is the one thing that changed somewhat recently (T399631: Deploy JWT cookies to production); it was enabled in October (beyond the Logstash retention cutoff, unfortunately). I don't recall any significant authentication changes in December.

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJan 27 2026, 10:27 PM
Tgr added a comment.Jan 27 2026, 10:33 PM

Also reported in T413747: User reports of ~ 500 failed logins (December).

We had a discussion about automatic login in apps in {T398886} (May) but back then the number of logins per user didn't seem large. Maybe we had this issue back then and just didn't notice, but more likely this is a relatively recent change.

Tgr added a comment.Jan 27 2026, 10:34 PM
In T415675#11560284, @Tgr wrote:

Also reported in T413747: User reports of ~ 500 failed logins (December).

Nevermind, those are failed logins, so not really the same issue.

GitHubPRBot added a comment.Jan 28 2026, 5:26 PM

cooltey closed https://github.com/wikimedia/apps-android-wikipedia/pull/6245

Dbrant claimed this task.Jan 29 2026, 2:32 PM
Dbrant moved this task from Current Sprint (P0) to Doing on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.
Dbrant moved this task from Doing to Merged and Waiting on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.Jan 30 2026, 4:17 PM
OWresch-WMF moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Feb 2 2026, 3:43 PM
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
Dbrant moved this task from Merged and Waiting to QA signoff on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.Feb 3 2026, 5:21 PM
Dbrant added a comment.Feb 3 2026, 7:30 PM

For QA: for now, it's sufficient to just verify that logging in normally is working as expected.
This task is just to reduce the number of background re-logins, of a kind that we haven't been able to reproduce yet.

ABorbaWMF moved this task from QA signoff to Ready for PM signoff on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.Feb 4 2026, 6:57 PM
ABorbaWMF subscribed.

Working for me on 50566-r-2026-02-02. Tested on OnePlus 8 on Android 13, and Pixel 6 on Android 16. Tested with multiple logins and logouts.

HNordeenWMF moved this task from Ready for PM signoff to Ready for release on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.Tue, Feb 17, 6:02 PM
HNordeenWMF closed this task as Resolved.Tue, Feb 24, 5:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits