Last modified: 2013-10-23 21:30:00 UTC
Created attachment 13535 [details] Log showing incorrect behavior for a non-*.orain.org wiki Demo: 1. Log in on any wiki on orain.org (e.g. meta.orain.org). 2. Go to any page on a non-orain.org wiki (e.g. wikiconstituciocatalana.cat). I attached two logs, one showing normal behavior for an *.orain.org wiki and another showing incorrect behavior for a non-orain.org wiki. Here is the original GitHub issue: https://github.com/Orain/ansible-playbook/issues/61 Here is our configuration (WIP): https://github.com/Orain/ansible-playbook/blob/master/roles/mediawiki/files/LocalSettings.php.j2 We're running CentralAuth 1.22wmf22 (3756064).
Created attachment 13536 [details] Log showing expected behavior on an *.orain.org wiki
http://espiral.org is also hosted in Orain. I have asked several users to login, and the feedback is the same: they can login (even after resetting password etc) but they end up being pushed back as anonymous users again. The session won't stick. What is weird is that I'm visiting and editing espiral.org as an identified user regularly. My session does stick, even after reboots or changing from a laptop to another. But then I have the same problems than the rest when logging to http://wikiconstituciocatalana.cat - which is double weird. fwiw I'm admin in both wikis. One difference is that I was already a user at espiral.org before it got imported to Orain, while Wikiconstitució was created from scratch as an Orain wiki. However, other Spiral users registered before the move are also finding login problems...
So after a fair amount of detective work.. A CA token needs to be set for each domain on login (as with the wikimedia sites.) Hence this fixed our problems https://github.com/Orain/ansible-playbook/commit/9e6336b059f42560e28104b6e04108007a3f86a5 (later altered to be a more dynamic fix for the future) Previous to this a login on espiral would create a CA token for the orain.org domain. espiral could not use this so it would then attempt to get a new CA token and session for espiral which it would do again, but again the CA token would remain under the orain.org domain not espiral.