On Thu, Feb 4, 2016 at 4:00 PM, Federico Leva (Nemo) &lt;nemowiki(a)gmail.com&gt; wrote: Off the top of my head, it goes something like this on WMF wikis. 1. You submit the login form on xxwiki. The response sets a bunch of cookies and redirects you to Special:CentralLogin/start on loginwiki. 2. Loginwiki sets some cookies and redirects you to Special:CentralLogin/complete on xxwiki. 3. xxwiki updates the cookies and redirects you to the returnto page. 4. The returnto page will have a number of <img> tags for 1x1 images to try to log you in to the other domains in the cluster. It'll also have one to try to update the cookies on loginwiki. The final set of cookies includes xxwikiSession, xxwikiUserID, and xxwikiUserName locally, and centralauth_Session, centralauth_User, and (if you checked "remember me") centralauth_Token set on the whole domain. For most domains the whole domain is like ".wikipedia.org", while for stuff under wikimedia.org it's the third level like "commons.wikimedia.org". Even if nothing below works, you *should* be logged in on xxwiki and loginwiki now. The 1x1 <img> tags work like this, when they work. They can fail if the browser blocks 1x1 images or third-party cookies. If any step fails due to not having the right cookies, it'll just stop there and serve the transparent PNG. 1. The <img> tag points to Special:CentralAutoLogin/start on the target wiki. This will redirect to Special:CentralAutoLogin/checkLoggedIn on loginwiki. 2. Loginwiki will redirect back to Special:CentralAutoLogin/createSession on the target wiki. Unless it thinks you're logged out, of course. 3. The target wiki will set a session cookie and redirect to Special:CentralAutoLogin/validateSession on loginwiki. 4. Loginwiki will redirect back to Special:CentralAutoLogin/setCookies on the target wiki. 5. The target wiki will set all the relevant cookies and serve a transparent 1x1 PNG. Now you should be logged in when you visit any wiki on the domain. When you visit a wiki, aren't logged in, and don't have the "I already did this" token set in local storage, it does something much like the 1x1 <img> flow except with a <script> tag via ResourceLoader. In the last step, it will serve some JS that either replaces the user bar at the top of the screen or shows a popup telling you to reload. If any step fails, it serves either a do-nothing script or one that sets the "I already did this" token. This also happens when you visit Special:UserLogin while logged out even if "I already did this" is set. Hope that helped. There's probably little point in reporting bugs against 1.27.0-wmf.12, wait for wmf.13 next Thursday in case they're fixed there. -- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation

On Fri, Jun 17, 2016 at 9:15 AM, Federico Leva (Nemo) &lt;nemowiki(a)gmail.com&gt; wrote: The expectation for single sign-on is that you sign-on a single time and then you are signed on everywhere. If that's not what happens, feel free to file a bug, ideally with a HAR file or something equivalent. (I think there is one scenario when you need to login manually: when visiting a wiki that's not included in the autologin domains while being logged out, then logging in elsewhere, then visiting it again. The "user is logged out" cookie gets set on the first visit, so on the second one no autologin is attempted. But that should be very rare as Meta, Commons, and all the not *.wikimedia.org wikis are autologin domains, so this can only happen on exotic projects like outreach.wikimedia.org.)

Thanks for pointing out this expectation. Please place this goal statement somewhere on the wiki. I've sent bug reports with HAR files before, but it always proved to be a lot of effort for zero gain. Perhaps there are specific tips to debug such issues in a way that makes bug reporting effective? It's of course possible that my browser's settings are interfering, but the mentioned hypothesis sound like something that would prevent crosswiki login in all cases, not just on some domains. Nemo

On 17.06.2016 12:30, Gergo Tisza wrote: If this is what happens, and I not want it, what can I do? It is not rare that I need to be logged in with two identities at two sites, such as admin here and non-admin there. Purodha

Hi, This sound complicated and error prone. Can we not simply have an off-switch in the user settings? Purodha On 17.06.2016 19:32, Sylvain Boissel wrote:

On 19.06.2016 16:10, Brad Jorsch (Anomie) wrote: The unified account login has been a pain my ass since the very earliest discussions about it. I knew, it would not work well, and indeed, it does not work well. You argue like a car maker that now offers automatic car only, regardless of their customer base and regardless of the increased fuel consumption, wear, etc. I suggest, if you make an additional feature changing basic behavior, have it as an addition, not a replacement. If you must make it a default, you must add an option to switch it off. Purodha