Hi @Enst80, please see the following new issue that I think is possibly related to the recent "First Save" bug that was fixed recently:
https://www.mediawiki.org/wiki/Extension_talk:Auth_remoteuser#page_forms_loose_edits_when_session_expires
Enst80
Joined 5 March 2017
See my answer (and question) here.
@Enst80 @Otheus Hey guys, I'm in dire need of some help/insight on solving the "First Save" bug [0].
My system is:
- RHEL7 with CA Policy Agent to ensure authenticated sessions via remote enterprise identity provider.
- Mediawiki - 1.30.0 (830bb58)
- Auth_remoteuser - 2.0.1 (0af2823)16:22, 24 April 2018
My Auth_remoteuser config is:
if(isset($_SERVER['HTTP_AGENCYUID'] )) { $HTTP_AGENCYUID = $_SERVER['HTTP_AGENCYUID'];}
else { $HTTP_AGENCYUID = null; }
$wgGroupPermissions['*']['autocreateaccount'] = true;
wfLoadExtension( 'Auth_remoteuser' );
$wgAuthRemoteuserUserName = $HTTP_AGENCYUID;
$wgAuthRemoteuserUserPrefsForced = [
'email' => $HTTP_AGENCYEMAIL,
'realname' => $HTTP_DISPLAYNAME
];
and an analysis of my session header is shown here:
The claim from this discussion [1] seems to be that the Auto Login module doesn't create a proper user session.
It is only after the user makes a "first save" attempt (which fails) that the user's session is fully established.
Please help!!! :-) -Rich
[1] https://meta.wikimedia.org/wiki/User_talk:Otheus/Auto_Login_via_REMOTE_USER#First-Save_Bug
The uploaded patch https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Auth_remoteuser/+/445775/ should solve this problem ;-)
The bug caused the SessionManager to reset the session id on the first request and this in turn causes the response header to send a cookie session delete instead of cookie session id set. In total there were 4 differing session ids created (2 on the first request, 2 on the second request) and only the 4th id got used with the next request (3th and ongoing) then.
Hi! I've implemented your code review on https://gerrit.wikimedia.org/r/#/c/383845/
Heya, thank you. I recognized it already but have to apologize for the late reply - though just been a bit busy. Will spent my time on it next week.
Awesome. Take your time, no hurry. I just wanted to make sure that there is still somebody actively maintaining the extension :)
Hi, sorry to bother you again. Can you tell me if Extension:Auth remoteuser is actively being maintained? If not, I'd request maintainership.
Hi! I am working on a new stack for LDAP authentication. "Auth_remoteuser" is part of it. I need to have some of my patches merged. Are you the current maintainer? If not, should I request ownership, or are there any others?
Hello,
sorry for being that slow currently. Unfortunately, pre christmas weeks were really busy. Anyways, that's no excuse and now i got the time.
I started on testing your uploaded patch sets already. But i haven't finished my review yet.
And i still don't have owner rights on my gerrit account for that extension, so i can't give any +2 reviews (Thats why i didn't reviewed even easy to merge patch sets). I wrote an email to the current owner to add me to that specific group.
That's good news. Thanks. No need to apologize.
There are no older topics