⚓ T344791 Get rid of ss0- SameSite cookie prefix hack
Page Menu
Phabricator
Create Task
Maniphest
T344791
Get rid of ss0- SameSite cookie prefix hack
Closed, Resolved
Public
Actions
Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Commits
Edit Mocks
Mute Notifications
Protect as security issue
Assigned To
tstarling
Authored By
tstarling
Aug 23 2023, 7:38 AM
2023-08-23 07:38:29 (UTC+0)
Tags
MediaWiki-User-login-and-signup
(Backlog)
MW-1.42-notes (1.42.0-wmf.19; 2024-02-20)
User-notice-archive
(Backlog)
Referenced Files
F41800673: Screenshot from 2024-02-06 22-51-57.png
Feb 7 2024, 7:08 AM
2024-02-07 07:08:23 (UTC+0)
Subscribers
Aklapper
Bugreporter
Izno
Krinkle
Quiddity
Tgr
TheDJ
tstarling
Description
The Chrome devs added support for SameSite cookie options before the spec was finalized. Then they changed the spec in an incompatible way and implemented the new spec. Then they updated Chrome again in a way which breaks all sites sending cookies without the SameSite option. The end result is that you can choose to either support old Chrome or new Chrome, there's no way to send a single cookie which will work in both kinds of browser.
So for
T252236
we added duplicate cookies prefixed with ss0, which work on old Chrome but not new Chrome, while the unprefixed cookies work on new Chrome.
Removing the cookies would reduce request sizes and would simplify the relevant code.
In
T252236#6273311
I reported usage statistics for the affected browsers, which I can now update:
Browser
2020-06 page views
2023-08 page views
iOS 12
2.5%
0.20%
Chrome 51-66
0.3%
0.18%
Safari on Mac OS 10.14
0.4%
0.04%
How do we feel about breaking login for 0.41% of users?
Details
Related Changes in Gerrit:
Subject
Repo
Branch
Lines +/-
Remove $wgUseSameSiteLegacyCookies
mediawiki/core
master
+4
-40
Stop using $wgUseSameSiteLegacyCookies
mediawiki/core
master
+16
-92
Disable SameSite legacy cookies
operations/mediawiki-config
master
+1
-14
Customize query in gerrit
Related Objects
Search...
Task Graph
Mentions
Status
Subtype
Assigned
Task
Open
None
T255366
SameSite cookie issues
Resolved
tstarling
T344791
Get rid of ss0- SameSite cookie prefix hack
Mentioned In
T271001: Transition to MathML rendering as default
T355596: Prolonging sign-in/login at Wikipedia and Commons no longer possible on Safari 12 via iOS 12
Mentioned Here
T355596: Prolonging sign-in/login at Wikipedia and Commons no longer possible on Safari 12 via iOS 12
T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome
Event Timeline
tstarling
created this task.
Aug 23 2023, 7:38 AM
2023-08-23 07:38:29 (UTC+0)
Restricted Application
added a subscriber:
Aklapper
View Herald Transcript
Aug 23 2023, 7:38 AM
2023-08-23 07:38:30 (UTC+0)
Bugreporter
subscribed.
Aug 23 2023, 8:09 AM
2023-08-23 08:09:30 (UTC+0)
Comment Actions
Since it is a configuration setting ($wgUseSameSiteLegacyCookies), we may need three steps to remove it:
deprecate it
turn off in production
remove it
Tgr
added a comment.
Aug 23 2023, 9:59 AM
2023-08-23 09:59:01 (UTC+0)
Comment Actions
Old Chrome interprets unknown SameSite values as Strict; a SameSite=Strict session cookie will break all cross-site features, including central login, and will result in somewhat erratic behavior (when arriving to the wiki from an external link, you get an anonymous page view but upon reload you will be logged in); but local login and all local features should still work. So IMO inflicting that on half percent of our userbase (probably less as I would expect logged-in users to use more modern browsers on average than readers) doesn't seem to me like a big deal.
Tgr
added a comment.
Aug 23 2023, 10:03 AM
2023-08-23 10:03:25 (UTC+0)
Comment Actions
Hm,
says that old Safari will interpret SameSite=None/Lax as SameSite=Strict but old Chrome will reject the cookie entirely. So for 0.18% of users we'd properly break login. Still acceptable IMO.
Tgr
added a parent task:
T255366: SameSite cookie issues
Jan 9 2024, 8:49 PM
2024-01-09 20:49:26 (UTC+0)
gerritbot
added a comment.
Jan 10 2024, 4:23 AM
2024-01-10 04:23:19 (UTC+0)
Comment Actions
Change 989265 had a related patch set uploaded (by Tim Starling; author: Tim Starling):
[operations/mediawiki-config@master] Disable SameSite legacy cookies
gerritbot
added a project:
Patch-For-Review
Jan 10 2024, 4:23 AM
2024-01-10 04:23:20 (UTC+0)
Bugreporter
added a project:
User-notice
Jan 10 2024, 5:32 AM
2024-01-10 05:32:55 (UTC+0)
Comment Actions
What's the effect of this in older browser? This may need a user notice. Also, we may want to deprecate (and eventually remove) it from MediaWiki.
Bugreporter
added a comment.
Edited
Jan 10 2024, 5:34 AM
2024-01-10 05:34:46 (UTC+0)
Comment Actions
Note if user can not log in completely, we may want to remove these browser from Grade C support. However login may be working without $wgCookieSameSite (which is default in MediaWiki installations), just not in Wikimedia wikis.
tstarling
added a comment.
Jan 10 2024, 10:30 AM
2024-01-10 10:30:07 (UTC+0)
Comment Actions
In
T344791#9448772
@Bugreporter
wrote:
What's the effect of this in older browser?
In Chrome 51-66, users will not be able to log in. In the other old browsers, users may have to log in to each domain separately.
Tgr
added a comment.
Jan 11 2024, 2:17 AM
2024-01-11 02:17:04 (UTC+0)
Comment Actions
In
T344791#9448774
@Bugreporter
wrote:
Note if user can not log in completely, we may want to remove these browser from Grade C support. However login may be working without $wgCookieSameSite (which is default in MediaWiki installations), just not in Wikimedia wikis.
FWIW,
Grade C
support for Chrome is 31+ (2013 or later). Chrome 67+ would be 2018 or later. That's a bit more recent than most other browsers (usually 2015 or later) but still it's five years old which, given Chrome's aggressive updating, seems like a lot. If one can believe
Wikipedia
, the only platform where it's not possible to upgrade to 67+ are Windows Vista but you can get to 51 is iOS 9.x.
But yes, even if the functionality is removed from core, it won't affect MediaWiki sites with default settings.
Quiddity
subscribed.
Jan 11 2024, 7:56 PM
2024-01-11 19:56:21 (UTC+0)
Comment Actions
Re: Tech News/user-notice - What wording would you suggest as the content, and When should it be included? Thanks!
My best guess is something like this. If you can simplify/improve this, or fix any errors and then confirm it is good, that'd be appreciated:
Future changes
In the future [??], it will not be possible to login to Wikimedia wikis from some specific old versions of the Chrome browser (versions 51–66, released between 2016–2018). Additionally, users of iOS 12, or Safari on Mac OS 10.14, may need to login to each wiki separately.
Quiddity
moved this task from
To Triage
to
Not ready to announce
on the
User-notice
board.
Jan 11 2024, 7:56 PM
2024-01-11 19:56:32 (UTC+0)
Tgr
added a comment.
Jan 11 2024, 10:30 PM
2024-01-11 22:30:33 (UTC+0)
Comment Actions
Sounds good to me.
@tstarling
do you have a target date?
tstarling
added a comment.
Jan 11 2024, 11:21 PM
2024-01-11 23:21:42 (UTC+0)
Comment Actions
How about January 17?
Changes later this week
Starting on January 17, it will not be possible to login to Wikimedia wikis from some specific old versions of the Chrome browser (versions 51–66, released between 2016–2018). Additionally, users of iOS 12, or Safari on Mac OS 10.14, may need to login to each wiki separately.
Quiddity
moved this task from
Not ready to announce
to
In current Tech/News draft
on the
User-notice
board.
Jan 12 2024, 12:10 AM
2024-01-12 00:10:22 (UTC+0)
Quiddity
awarded a token.
Izno
subscribed.
Jan 16 2024, 4:08 AM
2024-01-16 04:08:16 (UTC+0)
gerritbot
added a comment.
Jan 16 2024, 11:42 PM
2024-01-16 23:42:20 (UTC+0)
Comment Actions
Change 989265
merged
by jenkins-bot:
[operations/mediawiki-config@master] Disable SameSite legacy cookies
Stashbot
added a comment.
Jan 16 2024, 11:55 PM
2024-01-16 23:55:49 (UTC+0)
Comment Actions
Mentioned in SAL (#wikimedia-operations)
[2024-01-16T23:55:48Z]
T344791
(duration: 09m 19s)
Stashbot
added a comment.
Jan 17 2024, 12:03 AM
2024-01-17 00:03:44 (UTC+0)
Comment Actions
Mentioned in SAL (#wikimedia-operations)
[2024-01-17T00:03:43Z]
T344791
related cleanup (duration: 06m 22s)
Maintenance_bot
removed a project:
Patch-For-Review
Jan 17 2024, 12:30 AM
2024-01-17 00:30:16 (UTC+0)
gerritbot
added a comment.
Jan 17 2024, 12:49 AM
2024-01-17 00:49:31 (UTC+0)
Comment Actions
Change 991101 had a related patch set uploaded (by Tim Starling; author: Tim Starling):
[mediawiki/core@master] Remove $wgUseSameSiteLegacyCookies
gerritbot
added a project:
Patch-For-Review
Jan 17 2024, 12:49 AM
2024-01-17 00:49:32 (UTC+0)
Bugreporter
added a comment.
Jan 17 2024, 1:24 AM
2024-01-17 01:24:19 (UTC+0)
Comment Actions
The next step may be to deprecate the setting in core MediaWiki.
gerritbot
added a comment.
Jan 17 2024, 3:14 AM
2024-01-17 03:14:42 (UTC+0)
Comment Actions
Change 991104 had a related patch set uploaded (by Tim Starling; author: Tim Starling):
[mediawiki/core@master] Remove $wgUseSameSiteLegacyCookies
TheDJ
subscribed.
Jan 17 2024, 11:11 PM
2024-01-17 23:11:51 (UTC+0)
Comment Actions
FYI, one (experienced) user with chrome 65 immediately encountered this yesterday.
Quiddity
moved this task from
In current Tech/News draft
to
Already announced/Archive
on the
User-notice
board.
Jan 19 2024, 12:46 AM
2024-01-19 00:46:01 (UTC+0)
Umherirrender
mentioned this in
T355596: Prolonging sign-in/login at Wikipedia and Commons no longer possible on Safari 12 via iOS 12
Jan 22 2024, 8:36 PM
2024-01-22 20:36:01 (UTC+0)
Tgr
added a comment.
Jan 22 2024, 9:13 PM
2024-01-22 21:13:15 (UTC+0)
Comment Actions
Per
T355596: Prolonging sign-in/login at Wikipedia and Commons no longer possible on Safari 12 via iOS 12
this also reduces the central session lifetime to one day in affected non-Chrome browsers (because CentralAuth has this weird authentication flow where the login mostly happens locally but the "remember me" flag is set in a separate call to loginwiki). They also end up on a Special:CentralLogin error page.
We should probably do some UA sniffing and show a message telling the user to upgrade.
gerritbot
added a comment.
Feb 7 2024, 12:58 AM
2024-02-07 00:58:34 (UTC+0)
Comment Actions
Change 991101
merged
by jenkins-bot:
[mediawiki/core@master] Stop using $wgUseSameSiteLegacyCookies
ReleaseTaggerBot
added a project:
MW-1.42-notes (1.42.0-wmf.18; 2024-02-13)
Feb 7 2024, 2:00 AM
2024-02-07 02:00:40 (UTC+0)
Tgr
added a comment.
Feb 7 2024, 7:08 AM
2024-02-07 07:08:23 (UTC+0)
Comment Actions
In
T344791#9478881
@Tgr
wrote:
We should probably do some UA sniffing and show a message telling the user to upgrade.
On second thought, I don't think it's worth the effort. The code wouldn't be very complicated (Google has some sample code for it
here
, or in readable form
here
) but annoying to test (it would require an iOS device or emulator, and two wikis with different registrable domains with CentralAuth set up between them), and it doesn't really make sense to remove the B/C code to actually handle these cookies and then re-add B/C code that tells the user we are not handling them. And all we could do is to say "you need a newer browser", which isn't all that helpful.
The effect would be minimal anyway - there are about 100 central login session losses per day, and the SameSite B/C change had no visible impact on their volume:
graph
, the vertical line is the time of deployment), so we are talking about maybe a few logins per day.
gerritbot
added a comment.
Feb 15 2024, 4:17 PM
2024-02-15 16:17:18 (UTC+0)
Comment Actions
Change 991104
merged
by jenkins-bot:
[mediawiki/core@master] Remove $wgUseSameSiteLegacyCookies
Maintenance_bot
removed a project:
Patch-For-Review
Feb 15 2024, 4:31 PM
2024-02-15 16:31:12 (UTC+0)
ReleaseTaggerBot
edited projects, added
MW-1.42-notes (1.42.0-wmf.19; 2024-02-20)
; removed
MW-1.42-notes (1.42.0-wmf.18; 2024-02-13)
Feb 15 2024, 5:00 PM
2024-02-15 17:00:51 (UTC+0)
tstarling
closed this task as
Resolved
Feb 15 2024, 10:45 PM
2024-02-15 22:45:26 (UTC+0)
tstarling
claimed this task.
Maintenance_bot
edited projects, added
User-notice-archive
; removed
User-notice
Feb 25 2024, 11:30 PM
2024-02-25 23:30:14 (UTC+0)
Bugreporter
mentioned this in
T271001: Transition to MathML rendering as default
Sep 9 2024, 9:36 AM
2024-09-09 09:36:08 (UTC+0)
Log In to Comment
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct.
Wikimedia Foundation
Code of Conduct
Disclaimer
CC-BY-SA
GPL
Credits
US