I just tested the behavior in Safari and Firefox Nightly and found that (as expected):
1) Single sign-on from a fresh browser session doesn't work. The user is not logged into other wiki* sites. 2) Single sign-on works for wiki* sites that the user has previously logged into. 3) Single sign-out works.
I didn't mind the UX, but I could imagine some user annoyance. Here's an easy fix for Safari, Firefox 22+, and any browser with third-party cookies entirely disabled:
1) On login/logout, test whether third-party cookies are disabled. (For example, try to set/read/clear a cookie on wikitestthirdpartycookies.org.) 2) If a browser has third-party cookies disabled, do a series of first-party redirects to set or clear wiki* site cookies. (Google does something similar for google.com/youtube.com.)
While on the topic of wiki* logins, do y'all have any plans to implement HTTPS for password submission? My lab surveyed implementations on top websites not long ago and found that Wikipedia is one of very few to still use plaintext for credentials.
Best, Jonathan
On Tuesday, March 19, 2013 at 7:52 AM, Platonides wrote:
On 19/03/13 14:38, Seb35 wrote:
Hello,
According to [1] and [2], Firefox 22 (release June 25, 2013) will change the default third-party cookie policy: a third-party cookie will be authorized only if there is already a cookie set on the third-party website.
This would break most of the automatic login on sister projects on Wikimedia websites, since the page just after the log in will no more set cookies of sister projects, and you will have to manually log in to each domain (of level wikipedia.org (http://wikipedia.org), not of level de.wikipedia.org (http://de.wikipedia.org)) -- I tested with Firefox 16.
What could be done to mitigate this effect? (...)
[1] http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/ [2] https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_22
~ Seb35
Copying Jonathan Mayer. Background information: When you log into eg. en.wikipedia.org (http://en.wikipedia.org), you get cookies logging you into not only *.wikipedia.org (http://wikipedia.org) but also *.wiktionary.org (http://wiktionary.org), *.wiktionary.org (http://wiktionary.org), *.wikibooks.org (http://wikibooks.org), commons.wikimedia.org (http://commons.wikimedia.org), etc.
Obviously, that uses third-party cookies.
Firefox 22 will block our single-login (unless you are already logged on the other project, which would be the case in which you would already have cookies there). If it can't be corrected, we will have to publicise this fact quite well, as I expect many complaints of "Unified login doesn't work".
Jonathan, do you have any suggestion?
An idea to fix it would be to take advantage of the new certificate which includes all projects, by having firefox detect that the ‘third-party site’ belong to the same entity, since they share the https certificate (we would need to enable https to all logins, but that was planned, anyway).
Regards