Page MenuHomePhabricator

possibly unexpected behavior with SUL/CentralAuth
Closed, ResolvedPublic

Description

This might be OK, but I thought I'd report it because it seems strange to me:

  • User gets a message "Not logged in"
  • click "Log in"
  • on login page, click "Log in" without filling in password. User name is filled in automatically.
  • Login succeeds without password being entered
    • Note: sometimes upon doing this I briefly see a "Password field was empty" or "Cookies required" error message before the login succeeds.

Unexpected behavior:

  • Login succeeds from login page without a password required
  • Login sometimes reports a missing-password or cookies error before succeeding
  • Pasting an http: URL fails after first login but succeeds after second password-less login.

Version: unspecified
Severity: normal

Details

Reference
bz50334

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 1:44 AM
bzimport set Reference to bz50334.

Confirmed, that is a bug.

We have a larger patch for SUL that we're (almost) ready to merge and deploy, which I'm pretty confident will address this.

(In reply to comment #0)

This might be OK, but I thought I'd report it because it seems strange to
me:

to central server and end up on the https URL https:/test2.wikipedia.org

  • explicitly open an http page requiring login, like

http://test2.wikipedia.org/wiki/Special:UploadWizard by pasting into the
address bar

  • User gets a message "Not logged in"

Apparently it's only logging you in on the secure site, not the insecure site. Aaron knows more about this bit of the code than I do, CCing him.

  • click "Log in"
  • on login page, click "Log in" without filling in password. User name is

filled in automatically.

  • Login succeeds without password being entered
    • Note: sometimes upon doing this I briefly see a "Password field was

empty"
or "Cookies required" error message before the login succeeds.

When you open Special:Userlogin, it attempts to check if you're logged into the central domain in the background. Presumably this is succeeding, which is why the login seems to succeed despite entering a wrong password.

There's JavaScript involved in that check that tries to send you to the success page, but if you already clicked the "Log in" button it may be that the browser isn't allowing the JavaScript to override the form submission.

This is still an issue with the latest version. loginwiki redirects back to the attached wiki with a PROTO_CURRENT link, which is always https in production.

I just added a patch that should fix this.

Change 72657 had a related patch set uploaded by CSteipp:
Redirect to correct protocol in SUL2

https://gerrit.wikimedia.org/r/72657

Change 72657 merged by jenkins-bot:
Redirect to correct protocol in SUL2

https://gerrit.wikimedia.org/r/72657

Anomie added a comment.Sep 3 2013, 5:31 PM

Considering the patch has been merged since July, let's close this. Feel free to reopen if this still occurs.