Page MenuHomePhabricator
Create Task
Maniphest T52334

possibly unexpected behavior with SUL/CentralAuth
Closed, ResolvedPublic
Actions

Description

This might be OK, but I thought I'd report it because it seems strange to me:

  • User gets a message "Not logged in"
  • click "Log in"
  • on login page, click "Log in" without filling in password. User name is filled in automatically.
  • Login succeeds without password being entered
    • Note: sometimes upon doing this I briefly see a "Password field was empty" or "Cookies required" error message before the login succeeds.

Unexpected behavior:

  • Login succeeds from login page without a password required
  • Login sometimes reports a missing-password or cookies error before succeeding
  • Pasting an http: URL fails after first login but succeeds after second password-less login.

Version: unspecified
Severity: normal

Details

Reference
bz50334

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:44 AM
bzimport added projects: MediaWiki-extensions-CentralAuth, Browser-test-bug.
bzimport set Reference to bz50334.
Cmcmahon created this task.Jun 27 2013, 11:51 PM
csteipp added a comment.Jun 28 2013, 5:14 PM

Confirmed, that is a bug.

We have a larger patch for SUL that we're (almost) ready to merge and deploy, which I'm pretty confident will address this.

Anomie added a comment.Jun 28 2013, 6:20 PM

(In reply to comment #0)

This might be OK, but I thought I'd report it because it seems strange to
me:

to central server and end up on the https URL https:/test2.wikipedia.org

  • explicitly open an http page requiring login, like

http://test2.wikipedia.org/wiki/Special:UploadWizard by pasting into the
address bar

  • User gets a message "Not logged in"

Apparently it's only logging you in on the secure site, not the insecure site. Aaron knows more about this bit of the code than I do, CCing him.

  • click "Log in"
  • on login page, click "Log in" without filling in password. User name is

filled in automatically.

  • Login succeeds without password being entered
    • Note: sometimes upon doing this I briefly see a "Password field was

empty"
or "Cookies required" error message before the login succeeds.

When you open Special:Userlogin, it attempts to check if you're logged into the central domain in the background. Presumably this is succeeding, which is why the login seems to succeed despite entering a wrong password.

There's JavaScript involved in that check that tries to send you to the success page, but if you already clicked the "Log in" button it may be that the browser isn't allowing the JavaScript to override the form submission.

csteipp added a comment.Jul 2 2013, 11:44 PM

This is still an issue with the latest version. loginwiki redirects back to the attached wiki with a PROTO_CURRENT link, which is always https in production.

I just added a patch that should fix this.

gerritbot added a comment.Jul 8 2013, 11:32 PM

Change 72657 had a related patch set uploaded by CSteipp:
Redirect to correct protocol in SUL2

https://gerrit.wikimedia.org/r/72657

gerritbot added a comment.Jul 10 2013, 9:13 PM

Change 72657 merged by jenkins-bot:
Redirect to correct protocol in SUL2

https://gerrit.wikimedia.org/r/72657

Anomie added a comment.Sep 3 2013, 5:31 PM

Considering the patch has been merged since July, let's close this. Feel free to reopen if this still occurs.

MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 5:59 PM
Aklapper removed subscribers: Anomie, Cmcmahon, werdna.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL