jenkins-bot has submitted this change and it was merged.
Change subject: Avoid stomping on the existing session when logging into
loginwiki
......................................................................
Avoid stomping on the existing session when logging into loginwiki
The normal process when logging in with a central wiki is
1. The session is created locally,
2. We redirect to the central wiki to create a stub session,
3. We redirect back to the edge wiki to unstub the login wiki's stub
session.
But if you try to log in to the central wiki directly, step 2 stomps on
the session that was created in step 1 since they use the exact same
cookies. Then when step 3 comes around there isn't the logged-in session
anymore to be able to complete the process.
The solution is to skip the "create a stub session" bit if the central
wiki already has a full session. Step 3 won't hurt anything because
the unstubbing process on the non-stub session won't change anything.
Also, this removes the attempt to raise an error if someone is switching
accounts: the check has never actually worked due to looking at
$session['name'] instead of $session['user'] and no one has ever
noticed, so presumably it's no problem to just allow switching users.
Bug: T125139
Change-Id: Ibfc6beb201873d6b14d66eb8a9055f268f10ee9c
---
M includes/specials/SpecialCentralLogin.php
1 file changed, 34 insertions(+), 31 deletions(-)
Approvals:
BryanDavis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/specials/SpecialCentralLogin.php
b/includes/specials/SpecialCentralLogin.php
index 97c06a6..3d61abb 100644
--- a/includes/specials/SpecialCentralLogin.php
+++ b/includes/specials/SpecialCentralLogin.php
@@ -85,18 +85,16 @@
// If the user has a full session, make sure that the names
match up.
// If they do, then send the user back to the "login
successful" page.
// We want to avoid overwriting any session that may already
exist.
- if ( isset( $session['name'] ) ) { // fully initialized session
- if ( $session['name'] !== $centralUser->getName() ) {
- // @FIXME: what if a user wants to login under
another account?
- $this->showError(
'centralauth-error-token-wronguser' );
+ $createStubSession = true;
+ if ( isset( $session['user'] ) ) { // fully initialized session
+ if ( $session['user'] !== $centralUser->getName() ) {
+ // User is trying to switch accounts. Let them
do so by
+ // creating a new central session.
} else {
- $wiki = WikiMap::getWiki( $info['wikiId'] );
- // Use WikiReference::getFullUrl(), returns a
protocol-relative URL if needed
- $this->getOutput()->redirect( // expands to
PROTO_CURRENT
- $wiki->getFullUrl(
'Special:CentralLogin/status' )
- );
+ // They're already logged in to the target
account, don't stomp
+ // on the existing session! (T125139)
+ $createStubSession = false;
}
- return; // don't override session
// If the user has a stub session, error out if the names do
not match up
} elseif ( isset( $session['pending_name'] ) ) { // stub session
if ( $session['pending_name'] !==
$centralUser->getName() ) {
@@ -108,29 +106,34 @@
// Delete the temporary token
$cache->delete( $key );
- // Determine if we can use the default cookie security, or if
we need
- // to override it to insecure
- $secureCookie = $info['secureCookies'];
+ if ( $createStubSession ) {
+ // Determine if we can use the default cookie security,
or if we need
+ // to override it to insecure
+ $secureCookie = $info['secureCookies'];
- // Start an unusable placeholder session stub and send a cookie.
- // The cookie will not be usable until the session is unstubbed.
- // Note: the "remember me" token must be dealt with later
(security).
- if ( $this->session ) {
- $delay = $this->session->delaySave();
- $this->session->setUser( User::newFromName(
$centralUser->getName() ) );
- $newSessionId = CentralAuthUtils::setCentralSession(
array(
- 'pending_name' => $centralUser->getName(),
- 'pending_guid' => $centralUser->getId()
- ), true, $this->session );
- $this->session->persist();
- ScopedCallback::consume( $delay );
+ // Start an unusable placeholder session stub and send
a cookie.
+ // The cookie will not be usable until the session is
unstubbed.
+ // Note: the "remember me" token must be dealt with
later (security).
+ if ( $this->session ) {
+ $delay = $this->session->delaySave();
+ $this->session->setUser( User::newFromName(
$centralUser->getName() ) );
+ $newSessionId =
CentralAuthUtils::setCentralSession( array(
+ 'pending_name' =>
$centralUser->getName(),
+ 'pending_guid' => $centralUser->getId()
+ ), true, $this->session );
+ $this->session->persist();
+ ScopedCallback::consume( $delay );
+ } else {
+ $newSessionId =
CentralAuthSessionCompat::setCentralSession( array(
+ 'pending_name' =>
$centralUser->getName(),
+ 'pending_guid' => $centralUser->getId()
+ ), true, $secureCookie );
+ CentralAuthSessionCompat::setCookie( 'User',
$centralUser->getName(), -1, $secureCookie );
+ CentralAuthSessionCompat::setCookie( 'Token',
'', -86400, $secureCookie );
+ }
} else {
- $newSessionId =
CentralAuthSessionCompat::setCentralSession( array(
- 'pending_name' => $centralUser->getName(),
- 'pending_guid' => $centralUser->getId()
- ), true, $secureCookie );
- CentralAuthSessionCompat::setCookie( 'User',
$centralUser->getName(), -1, $secureCookie );
- CentralAuthSessionCompat::setCookie( 'Token', '',
-86400, $secureCookie );
+ // Since the full central session already exists, reuse
it.
+ $newSessionId = $session['sessionId'];
}
// Create a new token to pass to Special:CentralLogin/complete
(local wiki).
--
To view, visit https://gerrit.wikimedia.org/r/267948
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ibfc6beb201873d6b14d66eb8a9055f268f10ee9c
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/extensions/CentralAuth
Gerrit-Branch: master
Gerrit-Owner: Anomie <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Gergő Tisza <[email protected]>
Gerrit-Reviewer: Legoktm <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
