On Thu, Feb 4, 2016 at 4:00 PM, Federico Leva (Nemo) nemowiki@gmail.com wrote:
No, this is not what I'm talking about. My problems span multiple weeks or months and I reiterate my need for a document outlining the expected behaviour.
Off the top of my head, it goes something like this on WMF wikis.
1. You submit the login form on xxwiki. The response sets a bunch of cookies and redirects you to Special:CentralLogin/start on loginwiki. 2. Loginwiki sets some cookies and redirects you to Special:CentralLogin/complete on xxwiki. 3. xxwiki updates the cookies and redirects you to the returnto page. 4. The returnto page will have a number of <img> tags for 1x1 images to try to log you in to the other domains in the cluster. It'll also have one to try to update the cookies on loginwiki.
The final set of cookies includes xxwikiSession, xxwikiUserID, and xxwikiUserName locally, and centralauth_Session, centralauth_User, and (if you checked "remember me") centralauth_Token set on the whole domain. For most domains the whole domain is like ".wikipedia.org", while for stuff under wikimedia.org it's the third level like "commons.wikimedia.org".
Even if nothing below works, you *should* be logged in on xxwiki and loginwiki now.
The 1x1 <img> tags work like this, when they work. They can fail if the browser blocks 1x1 images or third-party cookies. If any step fails due to not having the right cookies, it'll just stop there and serve the transparent PNG.
1. The <img> tag points to Special:CentralAutoLogin/start on the target wiki. This will redirect to Special:CentralAutoLogin/checkLoggedIn on loginwiki. 2. Loginwiki will redirect back to Special:CentralAutoLogin/createSession on the target wiki. Unless it thinks you're logged out, of course. 3. The target wiki will set a session cookie and redirect to Special:CentralAutoLogin/validateSession on loginwiki. 4. Loginwiki will redirect back to Special:CentralAutoLogin/setCookies on the target wiki. 5. The target wiki will set all the relevant cookies and serve a transparent 1x1 PNG. Now you should be logged in when you visit any wiki on the domain.
When you visit a wiki, aren't logged in, and don't have the "I already did this" token set in local storage, it does something much like the 1x1 <img> flow except with a <script> tag via ResourceLoader. In the last step, it will serve some JS that either replaces the user bar at the top of the screen or shows a popup telling you to reload. If any step fails, it serves either a do-nothing script or one that sets the "I already did this" token. This also happens when you visit Special:UserLogin while logged out even if "I already did this" is set.
Hope that helped. There's probably little point in reporting bugs against 1.27.0-wmf.12, wait for wmf.13 next Thursday in case they're fixed there.