Page MenuHomePhabricator

API description of login action is misleading
Closed, ResolvedPublic


The help for action=login says
"Log in and get the authentication tokens. In the event of a successful log-in, a cookie will be attached to your session. ..."

In fact, the first API result contains ONE token, and then if you provide this token and login is successful, you get a sessionid back in the API response, and the HTTP response header sets three cookies:

<cookieprefix>Token, set to the sessionid in the API result

these all expire in a month, none is a session cookie.

A better description for includes/api/ApiLogin.php might be

Log in and get sessionid and browser cookies.
A successful login returns a session ID and its HTTP response header sets wiki cookies identifying the user.

Even this might vary with wiki configuration.

Version: unspecified
Severity: trivial



Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:44 AM
bzimport set Reference to bz71638.
bzimport added a subscriber: Unknown Object (MLST).
Spage created this task.Oct 4 2014, 5:49 AM
Anomie added a comment.Oct 6 2014, 3:17 PM

It's not like the client can reliably do anything useful with the returned session ID, since $wgSessionName isn't indicated and CentralAuth changes things too. It's probably better to just say that the needed cookies are returned in the HTTP response and leave details for

gerritadmin wrote:

Change 162960 had a related patch set uploaded by Anomie:
API: Internationalize all remaining core API modules

gerritadmin wrote:

Change 162960 merged by jenkins-bot:
API: Internationalize all remaining core API modules