I just tested the behavior in Safari and Firefox Nightly and found that (as expected):
1) Single sign-on from a fresh browser session doesn't work. The user is not logged
into other wiki* sites.
2) Single sign-on works for wiki* sites that the user has previously logged into.
3) Single sign-out works.
I didn't mind the UX, but I could imagine some user annoyance. Here's an easy fix
for Safari, Firefox 22+, and any browser with third-party cookies entirely disabled:
1) On login/logout, test whether third-party cookies are disabled. (For example, try to
set/read/clear a cookie on
wikitestthirdpartycookies.org.)
2) If a browser has third-party cookies disabled, do a series of first-party redirects to
set or clear wiki* site cookies. (Google does something similar for
google.com/youtube.com.)
While on the topic of wiki* logins, do y'all have any plans to implement HTTPS for
password submission? My lab surveyed implementations on top websites not long ago and
found that Wikipedia is one of very few to still use plaintext for credentials.
Best,
Jonathan
On Tuesday, March 19, 2013 at 7:52 AM, Platonides wrote:
On 19/03/13 14:38, Seb35 wrote:
Hello,
According to [1] and [2], Firefox 22 (release June 25, 2013) will change
the default third-party cookie policy: a third-party cookie will be
authorized only if there is already a cookie set on the third-party
website.
This would break most of the automatic login on sister projects on
Wikimedia websites, since the page just after the log in will no more
set cookies of sister projects, and you will have to manually log in to
each domain (of level
wikipedia.org (
http://wikipedia.org), not of level
de.wikipedia.org
(
http://de.wikipedia.org)) -- I
tested with Firefox 16.
What could be done to mitigate this effect? (...)
[1]
http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/
[2]
https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_22
~ Seb35
Copying Jonathan Mayer.
Background information: When you log into eg.
en.wikipedia.org (
http://en.wikipedia.org),
you get
cookies logging you into not only *.wikipedia.org (
http://wikipedia.org) but also
*.wiktionary.org (
http://wiktionary.org), *.wiktionary.org (
http://wiktionary.org),
*.wikibooks.org (
http://wikibooks.org),
commons.wikimedia.org (
http://commons.wikimedia.org), etc.
Obviously, that uses third-party cookies.
Firefox 22 will block our single-login (unless you are already logged on
the other project, which would be the case in which you would already
have cookies there).
If it can't be corrected, we will have to publicise this fact quite
well, as I expect many complaints of "Unified login doesn't work".
Jonathan, do you have any suggestion?
An idea to fix it would be to take advantage of the new certificate
which includes all projects, by having firefox detect that the
‘third-party site’ belong to the same entity, since they share the https
certificate (we would need to enable https to all logins, but that was
planned, anyway).
Regards