Page MenuHomePhabricator

CentralAuth does not log you into other projects that you have never visited under certain browser cookie settings
Closed, InvalidPublic

Description

Author: jgonera

Description:
I can reproduce this in Chrome 25 on desktop (using desktop Wikipedia, not mobile), with or without the incognito mode.
I log in to English Wikipedia and I'm not logged in to Commons.

  • The images from various Special:AutoLogin always load.
  • I don't see a centralauth_Session cookie on Commons.
  • I don't see a commonswiki_session cookie either.

I managed to reproduce it only using HTTP, but it seems it sometimes doesn't work on HTTPS for mobile users in production (we enforce HTTPS for logged in users on mobile and log an error when mobile users try to upload a photo but are not logged into Commons). It works (both for HTTP and HTTPS) on Firefox 19.

There are also mixed reports on this from other people (http://www.gossamer-threads.com/lists/wiki/wikitech/338428). Seems like a non-deterministic bug.


Version: unspecified
Severity: normal

Details

Reference
bz45578

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:36 AM
bzimport set Reference to bz45578.
bzimport added a subscriber: Unknown Object (MLST).

If that happens, does it log you into any projects other than the one you're currently on or into none at all (is it fully dysfunctional or just randomly failing)?

Probably the various privacy protection features in the browsers kick in here as were acting exactly like "evil" ad banners :/

jgonera wrote:

I just tried with Wikivoyage and it worked. But I still didn't get logged into Commons.

It also seems to be happening rather randomly on mobile devices when using mobile view. One time it will not log you into Commons, and then the other time it will.

I'm pretty sure I've worked this out. CentralAuth will only work if the user has previously visited the wiki project the login attempt is made for. Many browsers these days refuse cookies for sites the user has not visited. I'm still investigating but I'm pretty sure an image to a URL counts as a previous visit.

See https://bugzilla.wikimedia.org/show_bug.cgi?id=45452

Tgr subscribed.

This task is too old to be useful (both browser behavior and CentralAuth code changed a lot since then). We have T345249: Mitigate phase-out of third-party cookies in CentralAuth and its various subtasks for issues related to browser limitations on tracking cookies.