Enst80

Hi @Enst80, please see the following new issue that I think is possibly related to the recent "First Save" bug that was fixed recently:

https://www.mediawiki.org/wiki/Extension_talk:Auth_remoteuser#page_forms_loose_edits_when_session_expires

See my answer (and question) here.

@Enst80 @Otheus Hey guys, I'm in dire need of some help/insight on solving the "First Save" bug [0].

My system is:

• RHEL7 with CA Policy Agent to ensure authenticated sessions via remote enterprise identity provider.
• Mediawiki - 1.30.0 (830bb58)
• Auth_remoteuser - 2.0.1 (0af2823)16:22, 24 April 2018

My Auth_remoteuser config is:

if(isset($_SERVER['HTTP_AGENCYUID'] )) { $HTTP_AGENCYUID = $_SERVER['HTTP_AGENCYUID'];} 
else                                   { $HTTP_AGENCYUID = null; }
$wgGroupPermissions['*']['autocreateaccount'] = true;
wfLoadExtension( 'Auth_remoteuser' );  
$wgAuthRemoteuserUserName = $HTTP_AGENCYUID;
$wgAuthRemoteuserUserPrefsForced = [
    'email'    => $HTTP_AGENCYEMAIL,
    'realname' => $HTTP_DISPLAYNAME
  ];

and an analysis of my session header is shown here:

The claim from this discussion [1] seems to be that the Auto Login module doesn't create a proper user session.

It is only after the user makes a "first save" attempt (which fails) that the user's session is fully established.

Please help!!! :-) -Rich

[0] https://www.mediawiki.org/wiki/Extension_talk:Auth_remoteuser#%22First_Save%22_bug_with_MW_1.30_and_AuthRU_2.0.2

[1] https://meta.wikimedia.org/wiki/User_talk:Otheus/Auto_Login_via_REMOTE_USER#First-Save_Bug

The uploaded patch https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Auth_remoteuser/+/445775/ should solve this problem ;-)

The bug caused the SessionManager to reset the session id on the first request and this in turn causes the response header to send a cookie session delete instead of cookie session id set. In total there were 4 differing session ids created (2 on the first request, 2 on the second request) and only the 4th id got used with the next request (3th and ongoing) then.

Hi! I've implemented your code review on https://gerrit.wikimedia.org/r/#/c/383845/

Heya, thank you. I recognized it already but have to apologize for the late reply - though just been a bit busy. Will spent my time on it next week.

Awesome. Take your time, no hurry. I just wanted to make sure that there is still somebody actively maintaining the extension :)

Hi, sorry to bother you again. Can you tell me if Extension:Auth remoteuser is actively being maintained? If not, I'd request maintainership.

Hi! I am working on a new stack for LDAP authentication. "Auth_remoteuser" is part of it. I need to have some of my patches merged. Are you the current maintainer? If not, should I request ownership, or are there any others?

Hello,

sorry for being that slow currently. Unfortunately, pre christmas weeks were really busy. Anyways, that's no excuse and now i got the time.

I started on testing your uploaded patch sets already. But i haven't finished my review yet.

And i still don't have owner rights on my gerrit account for that extension, so i can't give any +2 reviews (Thats why i didn't reviewed even easy to merge patch sets). I wrote an email to the current owner to add me to that specific group.

That's good news. Thanks. No need to apologize.