Page MenuHomePhabricator

login when already logged in gets exception from Special:CentralLogin
Closed, ResolvedPublic

Description

I'm used to entering the URL https://<host>/wiki/Special:UserLogin to login with a different username. It would warn "You are already logged in as S Page (WMF). Use the form below to log in as another user." and let me do just that.

However, now when I do this on beta labs when I'm already logged in, I get a 302 redirect and then Internal error exception from http://en.wikipedia.beta.wmflabs.org/wiki/Special:CentralLogin/complete?token=921d7ed90f5b780db73c89673f1bb6d6 "The user account logged into does not exist." The full display is below.

The workaround is to click Log out or visit Special:Logout, then log in.
As I recall, visiting Special:UserLogin while logged in on mediawiki.org a week or so ago would just redirect me to the main page (not ideal but better than an exception); but now I'm getting the same Internal error exception except the production cluster truncates it to a pink "[7ed77f38] 2014-08-21 08:02:15: Fatal exception of type MWException".

Below is the full error display on beta labs:

[82d43ccf] /wiki/Special:CentralLogin/complete?token=921d7ed90f5b780db73c89673f1bb6d6 Exception from line 167 of /srv/common-local/php-master/extensions/CentralAuth/specials/SpecialCentralLogin.php: The user account logged into does not exist.

Backtrace:

#0 /srv/common-local/php-master/extensions/CentralAuth/specials/SpecialCentralLogin.php(33): SpecialCentralLogin->doLoginComplete(string)
#1 /srv/common-local/php-master/includes/specialpage/SpecialPage.php(363): SpecialCentralLogin->execute(string)
#2 /srv/common-local/php-master/includes/specialpage/SpecialPageFactory.php(516): SpecialPage->run(string)
#3 /srv/common-local/php-master/includes/MediaWiki.php(300): SpecialPageFactory::executePath(Title, RequestContext)
#4 /srv/common-local/php-master/includes/MediaWiki.php(609): MediaWiki->performRequest()
#5 /srv/common-local/php-master/includes/MediaWiki.php(460): MediaWiki->main()
#6 /srv/common-local/php-master/index.php(46): MediaWiki->run()
#7 /srv/common-local/w/index.php(3): include(string)
#8 {main}


Version: master
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=69565

Details

Reference
bz69834

Event Timeline

bzimport raised the priority of this task from to High.
bzimport set Reference to bz69834.
bzimport added a subscriber: Unknown Object (MLST).

It is pretty confusing when you go to https://en.wikipedia.org/wiki/Special:UserLogin?useNew=1 (being already logged in) and all you get is "[d1aecbd5] 2014-08-23 15:16:17: Fatal exception of type MWException" on a white page.

Raising priority.

I think this was caused by Idd9325374cb5dc13c4c057f45f88a33bdff523a9. There have been no CA changes related to this except my patch changing the fatal into a MWException (I2488e1fd3109ce66c2cb42d9afc78097f2b7313d).

A white screen of death on the login page is more than normal priority, even if it only happens when you're already logged in.

(In reply to spage from comment #0)

As I recall, visiting Special:UserLogin while logged in on mediawiki.org a
week or so ago would just redirect me to the main page (not ideal but better
than an exception);

This is the new expected behavior. Specifically, it redirects you to the returnto, and the main page is the default returnto if another one is not specified in the query string.

(In reply to Andre Klapper from comment #1)

It is pretty confusing when you go to
https://en.wikipedia.org/wiki/Special:UserLogin?useNew=1 (being already
logged in) and all you get is "[d1aecbd5] 2014-08-23 15:16:17: Fatal
exception of type MWException" on a white page.

Just to avoid confusion, useNew was temporary and removed quite a while ago (except for some outdated qqq that crept back in; I just uploaded a patch to fix). It has no effect and is unrelated to this bug.

(In reply to Kunal Mehta (Legoktm) from comment #2)

I think this was caused by Idd9325374cb5dc13c4c057f45f88a33bdff523a9. There
have been no CA changes related to this except my patch changing the fatal
into a MWException (I2488e1fd3109ce66c2cb42d9afc78097f2b7313d).

If S is right that it redirected to the main page before in WMF production ("As I recall...") that indicates the bad CentralAuth interaction is more recent. I personally can't confirm this, so I don't remember if I tested this behavior in production.

(In reply to spage from comment #0)

As I recall, visiting Special:UserLogin while logged in on mediawiki.org a
week or so ago would just redirect me to the main page (not ideal but better
than an exception); but now I'm getting the same Internal error exception
except the production cluster truncates it to a pink "[7ed77f38] 2014-08-21
08:02:15: Fatal exception of type MWException".

If i go to https://www.mediawiki.org/wiki/Special:UserLogin i will be redirected to the main page? No exception there (but in other projects, like en.wiki)

On betalabs i get redirected to main page, too.

Bug 69947 might be a dup?

  • Bug 69947 has been marked as a duplicate of this bug. ***

So the cause is Idd9325374cb5dc13c4c057f45f88a33bdff523a9, and this code:

In the case where the user is already logged in, do not show the login page.
The use case scenario for this is when a user opens a large number of tabs, is
redirected to the login page on all of them, and then logs in on one, expecting
all the others to work properly.
if ( $this->mType !== 'signup' && !$this->mPosted && $this->getUser()->isLoggedIn() ) {
$this->successfulLogin();
}

CentralAuth hooks UserLoginComplete from successfulLogin, which redirects through loginwiki's Special:CentralLogin/start and /complete.

I think the exception is happening because it tries to get the username out of $_SESSION, but since the user logged in a while ago, and

echo ini_get( 'session.gc_maxlifetime' );

1440

we only keep sessions around server side for 24 minutes, the username from $_SESSION is probably null, so the exception is triggered.

Tyler, can you explain the use case you put in that comment? I'm not sure I follow why that is needed. We can probably flag CentralAuth not to redirect if we have to, but I'm trying to understand the whole picture.

I am experiencing this. I am getting "[fe654767] 2014-09-03 05:20:50: Fatal exception of type MWException"m even after I try Special:UserLogout then try to log back in. When I try to edit, I get the normal logged out IP traced banner. Any ideas?

Easy/quick/hackish fix in CentralAuth is to check in the onUserLoginComplete function that $wgRequest->wasPosted() === false, and not start the central login process if that's the case.

I wonder if we should even be triggering the UserLoginComplete hook if the user wasn't actually newly logged in.

(In reply to Chris Steipp from comment #7)

Tyler, can you explain the use case you put in that comment? I'm not sure I
follow why that is needed. We can probably flag CentralAuth not to redirect
if we have to, but I'm trying to understand the whole picture.

I mean, it says everything in the comment. Let's say a user has two tabs open, their watchlist and their preferences page. However, they have been logged out because of the session expiry. So when they open their browser, Special:Watchlist and Special:Preferences redirect them to the login page. The user logs in in just one of those pages, such that they can then just refresh all the other pages and have them auto-return to where they intended to go to.

  • Bug 70381 has been marked as a duplicate of this bug. ***

Change 158547 had a related patch set uploaded by CSteipp:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/158547

Patch got a +1 by legoktm; is more needed or can this get merged?

Change 158547 merged by jenkins-bot:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/158547

I was hoping someone else more familiar with auth stuff would look at it but I guess not. Flagging for backport...

(In reply to Kunal Mehta (Legoktm) from comment #9)

I wonder if we should even be triggering the UserLoginComplete hook if the
user wasn't actually newly logged in.

That sounds a little more future proof (and current-proof for other extensions) to me as well, FWIW. When you're already logged in, visiting the login page (even if you're then redirected to your returnto) is not really a UserLoginComplete.

You were already logged in, so you didn't just complete a login.

  • Bug 70660 has been marked as a duplicate of this bug. ***

Change 159491 had a related patch set uploaded by Reedy:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/159491

Change 159492 had a related patch set uploaded by Reedy:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/159492

Change 159491 merged by jenkins-bot:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/159491

Change 159492 merged by jenkins-bot:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/159492

  • Bug 70666 has been marked as a duplicate of this bug. ***

Visiting "Special:UserLogin" on en.wp and test.wp now directly redirect me to the main page, no exception thrown.

[Backport was merged into 1.24wmf19 and 1.24wmf20 upon a time, hence setting Backport_WMF flag to +]