About this board

Page Forms and Immutable Sessions

Revansx (talkcontribs)
Enst80 (talkcontribs)

See my answer (and question) here.

Reply to "Page Forms and Immutable Sessions"

"First Save" session bug on MW 1.30 + Auth_RU 2.01

Revansx (talkcontribs)

@Enst80 @Otheus Hey guys, I'm in dire need of some help/insight on solving the "First Save" bug [0].

My system is:

  • RHEL7 with CA Policy Agent to ensure authenticated sessions via remote enterprise identity provider.
  • Mediawiki - 1.30.0 (830bb58)
  • Auth_remoteuser - 2.0.1 (0af2823)16:22, 24 April 2018

My Auth_remoteuser config is:

else                                   { $HTTP_AGENCYUID = null; }
$wgGroupPermissions['*']['autocreateaccount'] = true;
wfLoadExtension( 'Auth_remoteuser' );  
$wgAuthRemoteuserUserName = $HTTP_AGENCYUID;
$wgAuthRemoteuserUserPrefsForced = [
    'email'    => $HTTP_AGENCYEMAIL,
    'realname' => $HTTP_DISPLAYNAME

and an analysis of my session header is shown here:

The claim from this discussion [1] seems to be that the Auto Login module doesn't create a proper user session.

It is only after the user makes a "first save" attempt (which fails) that the user's session is fully established.

Please help!!! :-) -Rich

[0] https://www.mediawiki.org/wiki/Extension_talk:Auth_remoteuser#%22First_Save%22_bug_with_MW_1.30_and_AuthRU_2.0.2

[1] https://meta.wikimedia.org/wiki/User_talk:Otheus/Auto_Login_via_REMOTE_USER#First-Save_Bug

Enst80 (talkcontribs)

The uploaded patch https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Auth_remoteuser/+/445775/ should solve this problem ;-)

The bug caused the SessionManager to reset the session id on the first request and this in turn causes the response header to send a cookie session delete instead of cookie session id set. In total there were 4 differing session ids created (2 on the first request, 2 on the second request) and only the 4th id got used with the next request (3th and ongoing) then.

Reply to ""First Save" session bug on MW 1.30 + Auth_RU 2.01"

Implemented Code Review on 383845

Osnard (talkcontribs)
Enst80 (talkcontribs)

Heya, thank you. I recognized it already but have to apologize for the late reply - though just been a bit busy. Will spent my time on it next week.

Osnard (talkcontribs)

Awesome. Take your time, no hurry. I just wanted to make sure that there is still somebody actively maintaining the extension :)

Osnard (talkcontribs)

Hi, sorry to bother you again. Can you tell me if Extension:Auth remoteuser is actively being maintained? If not, I'd request maintainership.

Osnard (talkcontribs)

Hi! I am working on a new stack for LDAP authentication. "Auth_remoteuser" is part of it. I need to have some of my patches merged. Are you the current maintainer? If not, should I request ownership, or are there any others?

Enst80 (talkcontribs)


sorry for being that slow currently. Unfortunately, pre christmas weeks were really busy. Anyways, that's no excuse and now i got the time.

I started on testing your uploaded patch sets already. But i haven't finished my review yet.

And i still don't have owner rights on my gerrit account for that extension, so i can't give any +2 reviews (Thats why i didn't reviewed even easy to merge patch sets). I wrote an email to the current owner to add me to that specific group.

Osnard (talkcontribs)

That's good news. Thanks. No need to apologize.

Reply to "Implemented Code Review on 383845"
There are no older topics