Last modified: 2011-08-13 18:23:20 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T19335, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 17335 - edit-module does't work with centralauth-cookie
edit-module does't work with centralauth-cookie
Status: REOPENED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.15.x
All All
: Normal enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-03 04:24 UTC by merl
Modified: 2011-08-13 18:23 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description merl 2009-02-03 04:24:09 UTC
The query module (e.g. userinfo) ist working regardless i use centralauth_User/Token/Session or dewikiUsername/Token/Session as cookie. Changing a page content using the api-edit-module only works with the local cookie. Sending only the three centralauth-Cookies on an edit request returns a "badtoken"-error.

Because the local cookie names and values change on each wiki it would be nice to not relogin on every wiki.
Comment 1 Roan Kattouw 2009-02-03 11:19:27 UTC
(In reply to comment #0)
> The query module (e.g. userinfo) ist working regardless i use
> centralauth_User/Token/Session or dewikiUsername/Token/Session as cookie.
> Changing a page content using the api-edit-module only works with the local
> cookie. Sending only the three centralauth-Cookies on an edit request returns a
> "badtoken"-error.
> 
> Because the local cookie names and values change on each wiki it would be nice
> to not relogin on every wiki.
> 

This is gonna be non-trivial to reproduce for me, so can you make sure that you used the same cookies for the token request and the edit request? The token depends on your cookie, so you can't get a token with a deWiki cookie and use it with a centralauth cookie (that's more or less the point of tokens).

Please try using one set of tokens (only the deWiki ones or only the centralauth ones) for both the token retrieval and the edit request, and see if the issue persists.
Comment 2 merl 2009-02-03 12:14:45 UTC
My code

a)in local-cookie-mode reads the cookie data from the returned xml-data from login module:
  user="/api/login/@lguserid"; token="/api/login/@lgtoken"; session="/api/login/@sessionid";

  Then on every following request i do (this testcase is for dewiki, because i don't read the cookieprefix):
  addHeader("Cookie" ,"dewikiUsername="+user+"; dewikiToken="+token+"; dewiki_session="+session);

b)in global-cookie-mode reads the cookie data from the SetCookie-Header return from login module:
  Header h = getHeader("Set-Cookie");
  user=h.getParameter("centraulauth_User"); token=h.getParameter("centraulauth_Token"); session=h.getParameter("centraulauth_Session");

  Then on every following request i do:
  addHeader("Cookie" ,"centralauth_User="+user+"; centralauth_Session="+session+"; centralauth_Token="+session);

Only these three cookies mentioned before are send on every request (no dewiki_session in global mode although it is returned as Set-Cookie-Header)
Both versions are working correct e.g. when requesting userinfo.

No other Code has been changed between these two testcases. The edittoken is requested with "action=query&prop=info&intoken=edit&titles=Pagename" and is working with the edit request on mode a). But in mode b) a badtoken error is returned. All data (login, edittoken, edit) is send via a http-post request.
Comment 3 Roan Kattouw 2009-02-03 14:42:29 UTC
(In reply to comment #2)
> No other Code has been changed between these two testcases. The edittoken is
> requested with "action=query&prop=info&intoken=edit&titles=Pagename" and is
> working with the edit request on mode a). But in mode b) a badtoken error is
> returned. All data (login, edittoken, edit) is send via a http-post request.
> 
Can you check whether your edit token just happens to be +\ (without any hash in front of it)?
Comment 4 merl 2009-02-03 15:24:03 UTC
using only "+\" as token returns a bad token error.
Sending no cookie and using "+\" returns success.
The token is exactly the same on both modes.
Comment 5 Mike.lifeguard 2010-06-07 18:51:09 UTC
(In reply to comment #4)
> Sending no cookie and using "+\" returns success.

This must result in a logged-out edit, since "+\" is the token for anonymous users.
Comment 6 Marius Hoch 2011-06-24 23:57:46 UTC
I have written a Python script to access the API as well and had the same problems. It can be resolved with accepting the locally set cookies on all requests (can be done using a single http request function and a cookie store var per wiki), which in my opinion is mandatory, cause there is a reason why those exist.
Comment 7 Bryan Tong Minh 2011-06-25 07:24:47 UTC
Well, no. The whole point of CA is that you only need to login once.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links