BBlack has submitted this change and it was merged. Change subject: refactor wikidata CA cookies workarounds a bit ......................................................................
refactor wikidata CA cookies workarounds a bit Bug: T109038 Change-Id: I243998e2c03d5e5e98f56293e89753ffab33921d --- M templates/varnish/text-frontend.inc.vcl.erb 1 file changed, 17 insertions(+), 15 deletions(-) Approvals: JanZerebecki: Looks good to me, but someone else must approve BBlack: Verified; Looks good to me, approved diff --git a/templates/varnish/text-frontend.inc.vcl.erb b/templates/varnish/text-frontend.inc.vcl.erb index 9739e52..20eeb4e 100644 --- a/templates/varnish/text-frontend.inc.vcl.erb +++ b/templates/varnish/text-frontend.inc.vcl.erb @@ -198,20 +198,22 @@ call analytics_last_access_deliver; // This is a temporary hack to work around issues from T109038 - // We should be able to remove this sometime after Sept 16, 2015, as the old CA cookies should have 30d expiry. - // For any request Host ending in "wikidata.org", if we see a double-value for the CA token, try to delete the one at .wikidata.org. - if(req.http.Host ~ "(?i)(^|\.)wikidata\.org$" && req.http.Cookie ~ "centralauth_Token.*centralauth_Token") { - // The exact format of the cookie-delete string is copied from examples of normal CA cookie deletes (e.g. for logouts?) seen in traffic logs - header.append(resp.http.Set-Cookie, "centralauth_Token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikidata.org; secure; httponly"); - } - // As above for centralauth_User (see https://phabricator.wikimedia.org/T109038#1562651) - if(req.http.Host ~ "(?i)(^|\.)wikidata\.org$" && req.http.Cookie ~ "centralauth_User.*centralauth_User") { - // The exact format of the cookie-delete string is copied from examples of normal CA cookie deletes (e.g. for logouts?) seen in traffic logs - header.append(resp.http.Set-Cookie, "centralauth_User=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikidata.org; secure; httponly"); - } - // another variant with centralauth_Session (see https://phabricator.wikimedia.org/T109038#1581615 ) - if(req.http.Host ~ "(?i)(^|\.)wikidata\.org$" && req.http.Cookie ~ "centralauth_Session.*centralauth_Session") { - // The exact format of the cookie-delete string is copied from examples of normal CA cookie deletes (e.g. for logouts?) seen in traffic logs - header.append(resp.http.Set-Cookie, "centralauth_Session=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikidata.org; secure; httponly"); + // We should be able to remove this sometime after Sept 16, 2015, as + // the old CA cookies should have 30d expiry. + // For any request Host ending in "wikidata.org", if we see a + // double-value for the CA token, user, or session, try to delete the + // one at .wikidata.org. + // The exact format of the cookie-delete strings is copied from + // examples of normal CA cookie deletes seen in traffic logs + if (req.http.Host ~ "(?i)(^|\.)wikidata\.org$") { + if (req.http.Cookie ~ "centralauth_Token.*centralauth_Token") { + header.append(resp.http.Set-Cookie, "centralauth_Token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikidata.org; secure; httponly"); + } + if(req.http.Cookie ~ "centralauth_User.*centralauth_User") { + header.append(resp.http.Set-Cookie, "centralauth_User=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikidata.org; secure; httponly"); + } + if(req.http.Cookie ~ "centralauth_Session.*centralauth_Session") { + header.append(resp.http.Set-Cookie, "centralauth_Session=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.wikidata.org; secure; httponly"); + } } } -- To view, visit https://gerrit.wikimedia.org/r/234517 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I243998e2c03d5e5e98f56293e89753ffab33921d Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: JanZerebecki <jan.wikime...@zerebecki.de> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits