Page MenuHomePhabricator

Login as another user no longer works
Closed, ResolvedPublic

Description

If you're already logged in, you can not longer directly log in as another user (such as with bots, different privilege or role accounts, sockpuppets, etc) without first logging out.

This is annoying and shouldn't have happened.


Version: 1.24rc
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=71066

Details

Reference
bz70855

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:44 AM
bzimport set Reference to bz70855.
Isarra created this task.Sep 15 2014, 6:16 PM

swalling wrote:

This is an odd regression. For reproducibility:

  1. Visit a wiki while logged in.
  2. Search for Special:UserLogin or enter in the URL manually.
  3. You are redirected to the Main Page

Expected behavior: until recently, you should have been able to visit Special:UserLogin while authenticated as another account. The form then tells you that you are already logged in and allows you to login as a separate user.

(If this is fixed, 5dfc57eb80098a2016ed98cbdcca8ee6e1af1c79 should be reverted.)

The issue fixed by the bug is pretty important, so simply reverting the patch will not actually solve anything.

IMO, the bug described (switching between accounts) should really be solved by some sort of account switcher, e.g., like Google has.

Indeed, but it should be easy enough to show the form instead of redirecting when the user is logged in and there's no 'returnto' parameter.

To play devils advocate, why would you want to visit the login form whilst logged in? What is wrong with logging out and then visiting it?

(In reply to Bartosz Dziewoński from comment #5)

Indeed, but it should be easy enough to show the form instead of redirecting
when the user is logged in and there's no 'returnto' parameter.

(In reply to Jon from comment #6)

To play devils advocate, why would you want to visit the login form whilst
logged in? What is wrong with logging out and then visiting it?

These two sort of go together.

The only situation in which there would be no 'returnto' parameter is if you manually navigated to the login page by typing "Special:Userlogin" in the search bar (or by entering it in your address bar). I feel like it is much easier and trivial to simply click Logout and then log back in again.

We might be able to improve the experience by having the logout page redirect back to the login page automatically, and just display a message saying you were logged out.

However logging out can cause problems because it invalidates all login sessions. If a user is operating a bot and switches to remove the new message talk page notice, it logs the bot out.

Honestly I think what this is fixing is a mole hill compared to the mountain of problems that it creates.

(In reply to Betacommand from comment #8)

However logging out can cause problems because it invalidates all login
sessions. If a user is operating a bot and switches to remove the new
message talk page notice, it logs the bot out.

That is CentralAuth, not a property of core.

Actually its not. That particular issue has existed for as long as I can remember (~2006) If I log in via a bot, the cookies/session is kept and reused as needed. If I then login via a web browser, both sessions work. However if I log out via the web browser, the session/tokens that the bot have been using get invalidated and cause the bot to no longer be logged in.

That is about as core as one can get, prior to this a user could be logged in as themselves, note their bot has a new message, log into the bot account, clear the message, and then log back into the main account without ever logging out. This enables multiple logins and does not cause issues where the bot or user gets logged out on other devices/locations.

(In reply to Betacommand from comment #10)

Actually its not. That particular issue has existed for as long as I can
remember (~2006) If I log in via a bot, the cookies/session is kept and
reused as needed. If I then login via a web browser, both sessions work.
However if I log out via the web browser, the session/tokens that the bot
have been using get invalidated and cause the bot to no longer be logged in.
That is about as core as one can get, prior to this a user could be logged
in as themselves, note their bot has a new message, log into the bot
account, clear the message, and then log back into the main account without
ever logging out. This enables multiple logins and does not cause issues
where the bot or user gets logged out on other devices/locations.

I can assure you that MediaWiki core does not simultaneously log out all sessions. All logging out does is clear your cookies. I also just tested this on my Vagrant instance using two different browsers,

https://bugzilla.wikimedia.org/show_bug.cgi?id=49890

There was discussion on mailing lists about killing this behaviour.

  • Bug 69475 has been marked as a duplicate of this bug. ***

Change 161465 had a related patch set uploaded by Bartosz Dziewoński:
Allow logged-in users to view and use the login form

https://gerrit.wikimedia.org/r/161465

Change 161465 merged by jenkins-bot:
Allow logged-in users to view and use the login form again

https://gerrit.wikimedia.org/r/161465

Patch merged in master, leaving this open until it's clean if we need to backport to 1.24, or if it will be included.

Change 162120 had a related patch set uploaded by Legoktm:
Allow logged-in users to view and use the login form again

https://gerrit.wikimedia.org/r/162120

Change 162120 merged by jenkins-bot:
Allow logged-in users to view and use the login form again

https://gerrit.wikimedia.org/r/162120

So to be clear the fix has reopened bug 15484

(Per bug 15484 comment 27 it hasn't. The fix here only changes any behavior if a user types "Special:UserLogin" in the search box or address bar, or otherwise directly visits the login page.)

swalling wrote:

(In reply to Bartosz Dziewoński from comment #21)

(Per bug 15484 comment 27 it hasn't. The fix here only changes any behavior
if a user types "Special:UserLogin" in the search box or address bar, or
otherwise directly visits the login page.)

Tested and confirmed on Beta Labs.

Thanks Bartosz.

My bad. Thanks for the clarification and sorry for the confusion :)