Page MenuHomePhabricator
Create Task
Maniphest T252236

Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome
Closed, ResolvedPublic
Actions

Description

If we don't then most likely means people can no longer login to Wikipedia the normal way. Or they might be able to login manually, but won't be able to upload files to Commons, interact with Wikidata, send in-page feedback to talk pages on mediawiki.org or Meta-Wiki (like for VisualEditor), etc.

It would also mean when following cross-wiki projects like from Wikipedia to Wikidata/Commons/Wiktionary etc the user might not be auto-logged in.

Browser console (in Chrome)
A cookie associated with a cross-site resource at https://login.wikimedia.org/ was set
without the `SameSite` attribute. A future release of Chrome will only deliver cookies with
cross-site requests if they are set with `SameSite=None` and `Secure`.

You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

See also: Cookies default to SameSite=Lax (chromestatus.com)
See also: Reject insecure SameSite=None cookies (chromestatus.com)

  • (July 2019) This feature is available for testing in Chrome 76 for developers by enabling the cookies-without-same-site-must-be-secure flag. (ref)*

Timeline from https://www.chromium.org/updates/same-site:

  • Oct 2019: 50% of Chrome Beta users.
  • Feb 2020: Enforced for 1% of Chrome stable for 1 week.
  • March 2020: Enforced for 10%, 25%, and then 50% of Chrome stable
  • April 2020: Enforcement reduced to 0% for Chrome stable. It remains at 50% of Chrome Beta. (Reason: COVID19).
  • July 2020: Enforcement will we enabled for Chrome Stable in Chrome 84 on July 14. (news)

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2020, 6:44 PM
Krinkle mentioned this in T244952: warnings and errors on console when loading content translation.May 8 2020, 6:49 PM
Krinkle added a subtask: T158604: Investigate usefulness of SameSite cookies for logged-in accounts.
Paladox subscribed.May 8 2020, 7:31 PM
Krinkle added a subtask: T202028: CentralAuth fails when using "site isolation" in Google Chrome and Chromium or "first-party isolation" in Firefox.May 8 2020, 7:45 PM
Krinkle mentioned this in T252244: CentralAuth extension: Code stewardship review.May 8 2020, 8:20 PM
Krinkle renamed this task from Prepare login.wikimedia.org for deprecation of SameSite=None cross-site cookies in Chrome to Prepare login.wikimedia.org for removal of SameSite=None cross-site cookies in Chrome.May 8 2020, 9:38 PM
Krinkle renamed this task from Prepare login.wikimedia.org for removal of SameSite=None cross-site cookies in Chrome to Prepare login.wikimedia.org for requirement of SameSite=None cross-site cookies in Chrome.
Tgr subscribed.May 10 2020, 1:39 PM

So I guess what's needed is:

  • add SameSite option to the cookie logic in WebResponse (we might as well default it to Lax which should be OK for most of our cookies)
  • add a SameSite option to CookieSessionProvider which it would pass to WebResponse
  • default that option to None in CentralAuthSessionProvider
Jdforrester-WMF subscribed.May 14 2020, 12:27 AM
Krinkle updated the task description. (Show Details)Jun 3 2020, 7:04 PM
Krinkle added a comment.Jun 3 2020, 7:10 PM
  • Enforcement will we enabled for Chrome Stable in Chrome 84 on July 14. (news)
  • Firefox has also started enforcing this on their Betas meanwhile, and has scheduled release to Stable for Firefox 79 (July 28). (bug, schedule)
Tgr added a parent task: T255366: SameSite cookie issues.Jun 14 2020, 11:48 AM
Krinkle renamed this task from Prepare login.wikimedia.org for requirement of SameSite=None cross-site cookies in Chrome to Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome.Jun 14 2020, 3:47 PM
Krinkle added a subtask: T253662: The "forceHttps" cookie is misusing the recommended “sameSite“ attribute.
Nirmos subscribed.Jun 16 2020, 11:21 AM
Krinkle added a subtask: T253620: Logged out after switching between mobile and desktop site on the log-in page and later back again.Jun 16 2020, 3:26 PM
Krinkle changed the status of subtask T253620: Logged out after switching between mobile and desktop site on the log-in page and later back again from Stalled to Open.
Krinkle triaged this task as High priority.Jun 16 2020, 3:29 PM
Wiki13 subscribed.Jun 18 2020, 10:19 AM

Not only Chrome will have issues with, but Firefox too. As a matter of fact. I run pre-release versions of both browsers (I know, not recommended, but doesn't give much problems usually) and on both the login process is severly broken. Let's say I login on my homewiki (nlwiki). I will get a cookie for *.wikipedia,org as its the same domain. Same goes for wikis that are on *.wikimedia.org, because as far I understand a cookie will be set for that through login.wikimedia.org. Any other domains (Wikiquote, Wikinews, Wikidata, etc...) will not log you in and will require you to login normally, which can be a real pain if you are someone who works on a multitude of different projects (SWMT) and use 2FA. I can however note, that current release versions of these browsers and those based on it still work okayish (still requires me to force-reload page, when in the past that wasn't even neccesary).

Hopefully this gives you an idea on what kind of impact the changes by the browser makers have on the CentralAuth login

Aklapper added a comment.Jun 19 2020, 6:01 AM

Should T202028: CentralAuth fails when using "site isolation" in Google Chrome and Chromium or "first-party isolation" in Firefox be merged into this ticket?

tstarling subscribed.Jun 22 2020, 6:17 AM

There are a bunch of browsers still in basic support that will break if we send SameSite=None. It will be necessary to check the User-Agent header before sending it.

tstarling claimed this task.Jun 22 2020, 6:18 AM

I've been asked to work on this.

taavi subscribed.Jun 22 2020, 6:27 AM
tstarling closed subtask T253662: The "forceHttps" cookie is misusing the recommended “sameSite“ attribute as Invalid.Jun 23 2020, 5:04 AM
stwalkerster subscribed.Jun 24 2020, 6:56 PM
Wiki13 mentioned this in T256525: Stay logged in doesn’t work, global login doesn’t work on different projects.Jun 27 2020, 8:37 AM
RhinosF1 subscribed.Jun 27 2020, 8:44 AM
CDanis subscribed.Jun 30 2020, 12:15 AM
ori subscribed.Jun 30 2020, 5:02 AM
In T252236#6243258, @tstarling wrote:

There are a bunch of browsers still in basic support that will break if we send SameSite=None. It will be necessary to check the User-Agent header before sending it.

In case it's useful, I saw an existing VCL implementation of the UA sniffing pseudocode from https://www.chromium.org/updates/same-site/incompatible-clients:
https://github.com/varnishcache/varnish-devicedetect/pull/45/commits/052e174b9d

tstarling added a comment.Jun 30 2020, 5:34 AM

PHP's setcookie() only added support for SameSite in PHP 7.3. It will be necessary to emulate it with header().

Krinkle updated the task description. (Show Details)Jul 1 2020, 2:14 AM
tstarling added a comment.Jul 1 2020, 10:41 AM

Testing on Firefox and Chromium shows that it is necessary to set SameSite=None on local session cookies in order for cross-site autologin to work. When a wiki is visited by a user who is logged in centrally but not locally, there is a four step process driven by redirects: central/checkLoggedIn -> local/createSession -> central/validateSession -> local/setCookies. Both browsers agree that a redirect from the central wiki to the local wiki is a cross-site request even though the top-level origin is the local wiki, so Lax cookies are not sent. Patching MW to make the local (and central) session cookies have SameSite=None causes autologin to work in both browsers.

Maybe there is a way to make it work by redesigning autologin, but that is beyond the scope of this task. My patch will just set SameSite=None on a sufficient number of cookies.

tstarling added a comment.Jul 1 2020, 11:30 PM

There is the question of how much we really care about the incompatible browsers, since the recommended solution for them (sending two cookies) is quite intrusive. I ran some queries in Turnilo. As a percentage of non-bot page views in the latest day:

  • Chrome 51-66: 0.3%
  • iOS 12: 2.5%
  • Safari on Mac OS 10.14: 0.4%

So it comes down to how much we care about supporting autologin for these browsers. Local login should continue to work regardless.

tstarling added a comment.Jul 2 2020, 12:46 AM
In T252236#6273311, @tstarling wrote:

Local login should continue to work regardless.

Sorry, this was not correct. If local login cookies use SameSite=None, the incompatible browsers will drop the cookie, causing login to fail. I've installed Chromium 66 and observed this situation, and tested the fix.

gerritbot added a comment.Jul 2 2020, 6:55 AM

Change 608993 had a related patch set uploaded (by Tim Starling; owner: Tim Starling):
[mediawiki/core@master] Support SameSite=None cookies

https://gerrit.wikimedia.org/r/c/mediawiki/core/ /608993

gerritbot added a project: Patch-For-Review.Jul 2 2020, 6:56 AM

Change 609097 had a related patch set uploaded (by Tim Starling; owner: Tim Starling):
[mediawiki/extensions/CentralAuth@master] Add SameSite=None support

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/ /609097

gerritbot added a comment.Jul 7 2020, 1:55 AM

Change 608993 merged by jenkins-bot:
[mediawiki/core@master] Support SameSite=None cookies

https://gerrit.wikimedia.org/r/608993

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.41; 2020-07-14).Jul 7 2020, 2:00 AM
Krinkle added a subtask: T256095: Stop sending the forceHTTPS cookie, make the HTTPS redirect unconditional.Jul 7 2020, 2:50 AM
gerritbot added a comment.Jul 7 2020, 2:50 AM

Change 609097 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Add SameSite=None support

https://gerrit.wikimedia.org/r/609097

gerritbot added a comment.Jul 7 2020, 6:22 PM

Change 610127 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Beta Cluster)

https://gerrit.wikimedia.org/r/610127

RhinosF1 added a comment.Jul 7 2020, 6:36 PM

Will/Can the changes be backported to supported release branches?

gerritbot added a comment.Jul 7 2020, 7:54 PM

Change 610147 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (group0)

https://gerrit.wikimedia.org/r/610147

gerritbot added a comment.Jul 7 2020, 7:54 PM

Change 610148 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (group1)

https://gerrit.wikimedia.org/r/610148

gerritbot added a comment.Jul 7 2020, 7:54 PM

Change 610149 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (group2; all wikis)

https://gerrit.wikimedia.org/r/610149

gerritbot added a comment.Jul 9 2020, 4:54 PM

Change 610127 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Beta Cluster)

https://gerrit.wikimedia.org/r/610127

gerritbot added a comment.Jul 9 2020, 10:52 PM

Change 610147 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 1)

https://gerrit.wikimedia.org/r/610147

gerritbot added a comment.Jul 10 2020, 4:53 PM

Change 610148 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 2)

https://gerrit.wikimedia.org/r/610148

RhinosF1 added a comment.Jul 13 2020, 7:38 AM
In T252236#6286657, @RhinosF1 wrote:

Will/Can the changes be backported to supported release branches?

These changes take effect in less than 24 hours. Could it please be backported to supported release branches so non wikimedia wikis running the latest stable like Miraheze can apply the needed changes?

RhinosF1 added a project: User-RhinosF1.Jul 13 2020, 7:38 AM
RhinosF1 moved this task from Radar to Miraheze-Linked on the User-RhinosF1 board.
Tgr added a comment.Jul 13 2020, 10:39 AM

Filed T257802: Backport SameSite fixes to all supported MediaWiki branches. CentralAuth is WMF-only / use-at-your-own-risk but I'd expect basic MediaWiki authentication to be affected for private wiki farms with shared functionality like images.

gerritbot added a comment.Jul 13 2020, 1:10 PM

Change 612335 had a related patch set uploaded (by Paladox; owner: Tim Starling):
[mediawiki/core@REL1_34] Support SameSite=None cookies

https://gerrit.wikimedia.org/r/612335

gerritbot added a comment.Jul 13 2020, 1:24 PM

Change 612336 had a related patch set uploaded (by Paladox; owner: Tim Starling):
[mediawiki/extensions/CentralAuth@REL1_34] Add SameSite=None support

https://gerrit.wikimedia.org/r/612336

AMooney subscribed.Jul 13 2020, 1:42 PM

Hi @Krinkle anything else needed from CPT for this?

gerritbot added a comment.Jul 13 2020, 6:19 PM

Change 612395 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 3)

https://gerrit.wikimedia.org/r/612395

gerritbot added a comment.Jul 13 2020, 6:19 PM

Change 612396 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 4)

https://gerrit.wikimedia.org/r/612396

gerritbot added a comment.Jul 13 2020, 7:28 PM

Change 612395 merged by Krinkle:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 3)

https://gerrit.wikimedia.org/r/612395

gerritbot added a comment.Jul 13 2020, 9:57 PM

Change 612396 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 4)

https://gerrit.wikimedia.org/r/612396

jcrespo mentioned this in T257887: restbase: "featured" endpoint times out.Jul 14 2020, 6:46 AM
Krinkle closed this task as Resolved.Jul 14 2020, 2:37 PM
Krinkle closed subtask T256095: Stop sending the forceHTTPS cookie, make the HTTPS redirect unconditional as Resolved.
Krinkle merged a task: T158604: Investigate usefulness of SameSite cookies for logged-in accounts.
Krinkle added subscribers: Parent5446, Astinson, Krenair and 5 others.
BEANS-X2 subscribed.Jul 14 2020, 2:44 PM
Maintenance_bot moved this task from Miraheze-Linked to Done on the User-RhinosF1 board.Jul 14 2020, 3:15 PM
Aklapper mentioned this in T202028: CentralAuth fails when using "site isolation" in Google Chrome and Chromium or "first-party isolation" in Firefox.Jul 15 2020, 11:44 AM
gerritbot added a comment.Jul 23 2020, 12:16 AM

Change 612335 merged by jenkins-bot:
[mediawiki/core@REL1_34] Support SameSite=None cookies

https://gerrit.wikimedia.org/r/612335

ReleaseTaggerBot added a project: MW-1.34-notes.Jul 23 2020, 1:00 AM
Reedy mentioned this in T258718: ConfigException: HashConfig::get: undefined option: 'CookieSameSite'.Jul 23 2020, 3:05 PM
gerritbot added a comment.Jul 23 2020, 9:01 PM

Change 612336 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_34] Add SameSite=None support

https://gerrit.wikimedia.org/r/612336

gerritbot added a comment.Jul 23 2020, 9:55 PM

Change 615843 had a related patch set uploaded (by Reedy; owner: Tim Starling):
[mediawiki/core@REL1_31] [WIP] Support SameSite=None cookies

https://gerrit.wikimedia.org/r/615843

gerritbot added a comment.Jul 23 2020, 11:08 PM

Change 615849 had a related patch set uploaded (by Reedy; owner: Tim Starling):
[mediawiki/extensions/CentralAuth@REL1_31] Add SameSite=None support

https://gerrit.wikimedia.org/r/615849

gerritbot added a comment.Jul 23 2020, 11:10 PM

Change 615843 merged by jenkins-bot:
[mediawiki/core@REL1_31] Support SameSite=None cookies

https://gerrit.wikimedia.org/r/615843

gerritbot added a comment.Jul 23 2020, 11:22 PM

Change 615849 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_31] Add SameSite=None support

https://gerrit.wikimedia.org/r/615849

ReleaseTaggerBot added a project: MW-1.31-release-notes.Jul 24 2020, 12:00 AM
Tgr mentioned this in T299193: MediaWiki login failure due to race condition with session cookie.Jun 1 2022, 4:56 PM
tstarling mentioned this in T344791: Get rid of ss0- SameSite cookie prefix hack.Aug 23 2023, 7:38 AM
Tgr closed subtask T202028: CentralAuth fails when using "site isolation" in Google Chrome and Chromium or "first-party isolation" in Firefox as Invalid.Sep 7 2023, 9:44 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 7 2023, 9:44 PM
Tgr removed a subtask: T253620: Logged out after switching between mobile and desktop site on the log-in page and later back again.Oct 7 2023, 6:33 PM
Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Oct 7 2023, 6:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits