Last modified: 2014-10-07 21:33:41 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T71834, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 69834 - login when already logged in gets exception from Special:CentralLogin
login when already logged in gets exception from Special:CentralLogin
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
CentralAuth (Other open bugs)
master
All All
: High major with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
: 69947 70381 70660 70666 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-21 08:09 UTC by spage
Modified: 2014-10-07 21:33 UTC (History)
16 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---
aklapper: Backport_WMF+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description spage 2014-08-21 08:09:42 UTC 
I'm used to entering the URL https://<host>/wiki/Special:UserLogin to login with a different username.  It would warn "You are already logged in as S Page (WMF). Use the form below to log in as another user." and let me do just that.

However, now when I do this on beta labs when I'm already logged in, I get a 302 redirect and then Internal error exception from http://en.wikipedia.beta.wmflabs.org/wiki/Special:CentralLogin/complete?token=921d7ed90f5b780db73c89673f1bb6d6 "The user account logged into does not exist."  The full display is below.

The workaround is to click Log out or visit Special:Logout, then log in.
As I recall, visiting Special:UserLogin while logged in on mediawiki.org a week or so ago would just redirect me to the main page (not ideal but better than an exception); but now I'm getting the same Internal error exception except the production cluster truncates it to a pink "[7ed77f38] 2014-08-21 08:02:15: Fatal exception of type MWException".

Below is the full error display on beta labs:

[82d43ccf] /wiki/Special:CentralLogin/complete?token=921d7ed90f5b780db73c89673f1bb6d6 Exception from line 167 of /srv/common-local/php-master/extensions/CentralAuth/specials/SpecialCentralLogin.php: The user account logged into does not exist.

Backtrace:

#0 /srv/common-local/php-master/extensions/CentralAuth/specials/SpecialCentralLogin.php(33): SpecialCentralLogin->doLoginComplete(string)
#1 /srv/common-local/php-master/includes/specialpage/SpecialPage.php(363): SpecialCentralLogin->execute(string)
#2 /srv/common-local/php-master/includes/specialpage/SpecialPageFactory.php(516): SpecialPage->run(string)
#3 /srv/common-local/php-master/includes/MediaWiki.php(300): SpecialPageFactory::executePath(Title, RequestContext)
#4 /srv/common-local/php-master/includes/MediaWiki.php(609): MediaWiki->performRequest()
#5 /srv/common-local/php-master/includes/MediaWiki.php(460): MediaWiki->main()
#6 /srv/common-local/php-master/index.php(46): MediaWiki->run()
#7 /srv/common-local/w/index.php(3): include(string)
#8 {main}
Comment 1 Andre Klapper 2014-08-23 15:18:07 UTC 
It is pretty confusing when you go to https://en.wikipedia.org/wiki/Special:UserLogin?useNew=1 (being already logged in) and all you get is "[d1aecbd5] 2014-08-23 15:16:17: Fatal exception of type MWException" on a white page.

Raising priority.
Comment 2 Kunal Mehta (Legoktm) 2014-08-24 20:36:01 UTC 
I think this was caused by Idd9325374cb5dc13c4c057f45f88a33bdff523a9. There have been no CA changes related to this except my patch changing the fatal into a MWException (I2488e1fd3109ce66c2cb42d9afc78097f2b7313d).
Comment 3 Matthew Flaschen 2014-08-25 04:15:17 UTC 
A white screen of death on the login page is more than normal priority, even if it only happens when you're already logged in.

(In reply to spage from comment #0)
> As I recall, visiting Special:UserLogin while logged in on mediawiki.org a
> week or so ago would just redirect me to the main page (not ideal but better
> than an exception);

This is the new expected behavior.  Specifically, it redirects you to the returnto, and the main page is the default returnto if another one is not specified in the query string.

(In reply to Andre Klapper from comment #1)
> It is pretty confusing when you go to
> https://en.wikipedia.org/wiki/Special:UserLogin?useNew=1 (being already
> logged in) and all you get is "[d1aecbd5] 2014-08-23 15:16:17: Fatal
> exception of type MWException" on a white page.

Just to avoid confusion, useNew was temporary and removed quite a while ago (except for some outdated qqq that crept back in; I just uploaded a patch to fix).  It has no effect and is unrelated to this bug.

(In reply to Kunal Mehta (Legoktm) from comment #2)
> I think this was caused by Idd9325374cb5dc13c4c057f45f88a33bdff523a9. There
> have been no CA changes related to this except my patch changing the fatal
> into a MWException (I2488e1fd3109ce66c2cb42d9afc78097f2b7313d).

If S is right that it redirected to the main page before in WMF production ("As I recall...") that indicates the bad CentralAuth interaction is more recent.  I personally can't confirm this, so I don't remember if I tested this behavior in production.
Comment 4 Florian 2014-08-25 07:57:08 UTC 
(In reply to spage from comment #0)
> As I recall, visiting Special:UserLogin while logged in on mediawiki.org a
> week or so ago would just redirect me to the main page (not ideal but better
> than an exception); but now I'm getting the same Internal error exception
> except the production cluster truncates it to a pink "[7ed77f38] 2014-08-21
> 08:02:15: Fatal exception of type MWException".

If i go to https://www.mediawiki.org/wiki/Special:UserLogin i will be redirected to the main page? No exception there (but in other projects, like en.wiki)

On betalabs i get redirected to main page, too.
Comment 5 Andre Klapper 2014-08-25 14:24:49 UTC 
Bug 69947 might be a dup?
Comment 6 Matthew Flaschen 2014-08-26 03:23:44 UTC 
*** Bug 69947 has been marked as a duplicate of this bug. ***
Comment 7 Chris Steipp 2014-08-27 23:05:17 UTC 
So the cause is Idd9325374cb5dc13c4c057f45f88a33bdff523a9, and this code:


// In the case where the user is already logged in, do not show the login page.
// The use case scenario for this is when a user opens a large number of tabs, is
// redirected to the login page on all of them, and then logs in on one, expecting
// all the others to work properly.
if ( $this->mType !== 'signup' && !$this->mPosted && $this->getUser()->isLoggedIn() ) {
	$this->successfulLogin();
}

CentralAuth hooks UserLoginComplete from successfulLogin, which redirects through loginwiki's Special:CentralLogin/start and /complete.

I think the exception is happening because it tries to get the username out of $_SESSION, but since the user logged in a while ago, and

> echo ini_get( 'session.gc_maxlifetime' );
1440

we only keep sessions around server side for 24 minutes, the username from $_SESSION is probably null, so the exception is triggered.

Tyler, can you explain the use case you put in that comment? I'm not sure I follow why that is needed. We can probably flag CentralAuth not to redirect if we have to, but I'm trying to understand the whole picture.
Comment 8 lixxx235wikipedia 2014-09-03 05:27:46 UTC 
I am experiencing this. I am getting "[fe654767] 2014-09-03 05:20:50: Fatal exception of type MWException"m even after I try Special:UserLogout then try to log back in. When I try to edit, I get the normal logged out IP traced banner. Any ideas?
Comment 9 Kunal Mehta (Legoktm) 2014-09-03 05:35:40 UTC 
Easy/quick/hackish fix in CentralAuth is to check in the onUserLoginComplete function that $wgRequest->wasPosted() === false, and not start the central login process if that's the case.

I wonder if we should even be triggering the UserLoginComplete hook if the user wasn't actually newly logged in.
Comment 10 Tyler Romeo 2014-09-03 06:08:11 UTC 
(In reply to Chris Steipp from comment #7)
> Tyler, can you explain the use case you put in that comment? I'm not sure I
> follow why that is needed. We can probably flag CentralAuth not to redirect
> if we have to, but I'm trying to understand the whole picture.

I mean, it says everything in the comment. Let's say a user has two tabs open, their watchlist and their preferences page. However, they have been logged out because of the session expiry. So when they open their browser, Special:Watchlist and Special:Preferences redirect them to the login page. The user logs in in just one of those pages, such that they can then just refresh all the other pages and have them auto-return to where they intended to go to.
Comment 11 Alex Monk 2014-09-04 04:40:34 UTC 
*** Bug 70381 has been marked as a duplicate of this bug. ***
Comment 12 Gerrit Notification Bot 2014-09-04 23:49:04 UTC 
Change 158547 had a related patch set uploaded by CSteipp:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/158547
Comment 13 Andre Klapper 2014-09-08 15:22:02 UTC 
Patch got a +1 by legoktm; is more needed or can this get merged?
Comment 14 Gerrit Notification Bot 2014-09-08 16:47:28 UTC 
Change 158547 merged by jenkins-bot:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/158547
Comment 15 Kunal Mehta (Legoktm) 2014-09-08 16:53:48 UTC 
I was hoping someone else more familiar with auth stuff would look at it but I guess not. Flagging for backport...
Comment 16 Matthew Flaschen 2014-09-09 06:50:39 UTC 
(In reply to Kunal Mehta (Legoktm) from comment #9)
> I wonder if we should even be triggering the UserLoginComplete hook if the
> user wasn't actually newly logged in.

That sounds a little more future proof (and current-proof for other extensions) to me as well, FWIW.  When you're already logged in, visiting the login page (even if you're then redirected to your returnto) is not really a UserLoginComplete.

You were already logged in, so you didn't just complete a login.
Comment 17 Kunal Mehta (Legoktm) 2014-09-10 16:11:37 UTC 
*** Bug 70660 has been marked as a duplicate of this bug. ***
Comment 18 Gerrit Notification Bot 2014-09-10 16:12:38 UTC 
Change 159491 had a related patch set uploaded by Reedy:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/159491
Comment 19 Gerrit Notification Bot 2014-09-10 16:12:52 UTC 
Change 159492 had a related patch set uploaded by Reedy:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/159492
Comment 20 Gerrit Notification Bot 2014-09-10 17:09:02 UTC 
Change 159491 merged by jenkins-bot:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/159491
Comment 21 Gerrit Notification Bot 2014-09-10 17:09:27 UTC 
Change 159492 merged by jenkins-bot:
Don't do central login if not POSTed

https://gerrit.wikimedia.org/r/159492
Comment 22 Kunal Mehta (Legoktm) 2014-09-10 18:00:58 UTC 
*** Bug 70666 has been marked as a duplicate of this bug. ***
Comment 23 Kunal Mehta (Legoktm) 2014-09-11 02:13:58 UTC 
Visiting "Special:UserLogin" on en.wp and test.wp now directly redirect me to the main page, no exception thrown.
Comment 24 Andre Klapper 2014-10-07 21:33:41 UTC 
[Backport was merged into 1.24wmf19 and 1.24wmf20 upon a time, hence setting Backport_WMF flag to +]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links