On Thu, Feb 4, 2016 at 4:00 PM, Federico Leva (Nemo) <nemowiki(a)gmail.com>
No, this is not what I'm talking about. My
problems span multiple weeks or
months and I reiterate my need for a document outlining the expected
Off the top of my head, it goes something like this on WMF wikis.
1. You submit the login form on xxwiki. The response sets a bunch of
cookies and redirects you to Special:CentralLogin/start on loginwiki.
2. Loginwiki sets some cookies and redirects you to
Special:CentralLogin/complete on xxwiki.
3. xxwiki updates the cookies and redirects you to the returnto page.
4. The returnto page will have a number of <img> tags for 1x1 images to
try to log you in to the other domains in the cluster. It'll also have one
to try to update the cookies on loginwiki.
The final set of cookies includes xxwikiSession, xxwikiUserID, and
xxwikiUserName locally, and centralauth_Session, centralauth_User, and (if
you checked "remember me") centralauth_Token set on the whole domain. For
most domains the whole domain is like ".wikipedia.org", while for stuff
it's the third level like "commons.wikimedia.org".
Even if nothing below works, you *should* be logged in on xxwiki and
The 1x1 <img> tags work like this, when they work. They can fail if the
browser blocks 1x1 images or third-party cookies. If any step fails due to
not having the right cookies, it'll just stop there and serve the
1. The <img> tag points to Special:CentralAutoLogin/start on the target
wiki. This will redirect to Special:CentralAutoLogin/checkLoggedIn on
2. Loginwiki will redirect back to
Special:CentralAutoLogin/createSession on the target wiki. Unless it thinks
you're logged out, of course.
3. The target wiki will set a session cookie and redirect to
Special:CentralAutoLogin/validateSession on loginwiki.
4. Loginwiki will redirect back to Special:CentralAutoLogin/setCookies
on the target wiki.
5. The target wiki will set all the relevant cookies and serve a
transparent 1x1 PNG. Now you should be logged in when you visit any wiki on
When you visit a wiki, aren't logged in, and don't have the "I already did
this" token set in local storage, it does something much like the 1x1 <img>
flow except with a <script> tag via ResourceLoader. In the last step, it
will serve some JS that either replaces the user bar at the top of the
screen or shows a popup telling you to reload. If any step fails, it serves
either a do-nothing script or one that sets the "I already did this" token.
This also happens when you visit Special:UserLogin while logged out even if
"I already did this" is set.
Hope that helped. There's probably little point in reporting bugs against
1.27.0-wmf.12, wait for wmf.13 next Thursday in case they're fixed there.
Brad Jorsch (Anomie)
Senior Software Engineer