[Wikitech-l] CentralAuth shared session updates

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yesterday, Werdna and Tim committed some initial code for adding shared login session state to CentralAuth. The promise of this is that not only do you have the same login state on multiple wikis, but you only have to go through the login form once -- your login will be active on the other sites as well. There are two parts to this: 1) Central session data is maintained alongside the local sessions. A cookie with the session key (or long-term login token) is shared across an entire domain (say, wikipedia.org), letting all wikis on that domain initialize their local sessions when you navigate to them. 2) On login, the central session cookies are set at multiple mid-level domains. This is done by loading a special login URL at each domain as an inline image; that then sets a cookie for its domain as it's loaded. This allows us to set, for instance, a cookie for wiktionary.org when you logged in from wikipedia.org. I've been doing some code review, local testing, and tweaking. The general theory is reasonably sound though I have some concerns and notes... Security: The sessions are set on other domains by passing an internal token value on a URL -- an unencrypted HTTP GET request. It's bad enough we're still passing all kinds of stuff around in unencrypted cookies, but those GET URLs go into all sorts of logs, which seems pretty creepy to me. I'd be more comfortable with one-time-use tokens, which won't be of any use to anyone once they've seen them. Resetting them on logout only helps insofar as anyone actually logs out... I know I never do. :) Compatibility: Third-party cookies can be disabled by various browser options and privacy proxies. The 1x1 invisible PNG may itself be blocked by privacy or ad proxies. It may or may not be more compatible to use little iframes or something.... or that might just suck. :) Anyway, should be considered. Logging out: Currently, logout only clears your global session cookies; it doesn't clear local session state. You log in once, but you may have to log out many times. Incomplete migrations: I haven't thoroughly tested, but my impression is that the global session state will only get set up properly if the remote wiki that happens to get hit for that domain has the global account. If there's a non-matching local account there, it looks like it won't set the session for the whole domain. - -- brion vibber (brion @ wikimedia.org)