Since April 2010,[1] when no lgtoken is passed to the Action API action=login it will return a "NeedToken" response including the token to use. While this method of fetching the login token was deprecated in January 2016,[2] it is still present for the benefit of clients that have not yet been updated and is not (yet) being removed.
The NeedToken response was also being returned when an lgtoken was supplied but could not be validated due to session loss. While this made sense back in 2010 when the NeedToken response was the only way to fetch the login token, these days it is mainly confusing[3] and a way for clients with broken cookie handling to wind up in a loop.
With the merge of Gerrit change 586448,[4] the API will no longer return NeedToken when lgtoken was supplied. If the token cannot be validated due to session loss, a "Failed" response will be returned with a message referring to session loss as the problem.
Note that the change HAS NOT been deployed to Wikimedia sites as of the time of this email. If your client's ability to log in broke on 6 April 2020, the cause is most likely an unrelated change to Wikimedia's infrastructure that caused some HTTP headers to be output with HTTP/2 standard casing, i.e. "set-cookie" rather than the traditional "Set-Cookie". See
https://phabricator.wikimedia.org/T249680 for details and further discussion of that situation.
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation