[15:38:13] I'm being sent here from wikimedia-stewards. This was my question over there: [15:38:13] Hi all. I don't know where else to ask, so let me try here: yesterday, a user asked me if I knew why Commons was not letting him log in, the message he was getting was "Central user log in: No active login attempt is in progress for your session".   I logged out myself, and now neither Commons nor Meta are letting me log in. The message I'm [15:38:14] getting is "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. " [15:38:14] I can log in to *.wikipedia.org. Tried logging out, closing browser window, Firefox private session.   Is this a known problem these days? [15:47:21] Ponor: i just filed https://phabricator.wikimedia.org/T350695 about that. clearing cookies worked for other people. it's definitely a bug though [15:47:47] There used to be a Firefox cookie handling bug that would trigger this (). [15:51:04] My Firefox log is full of messages like: Cookie “centralauth_ss0-User” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this [15:51:04] cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite [15:52:23] MatmaRex: oh, I may have seen behavior on officewiki today related to that change too. I noticed that I am logged in at office.wikimedia.org, but not at office.m.wikimedia.org. I think that is new and possibly related to $wmgSecondLevelDomain. [15:53:13] Ponor: that's unrelated [15:53:36] (i've been seeing those messages for… years? they're not new) [15:54:55] OK thanks I'll keep an eye on T350695, nothing else seems to help [15:54:56] T350695: "sessionfailure" errors on Meta and Commons - https://phabricator.wikimedia.org/T350695 [15:57:02] bd808: i don't think that's new either, as far as i remember, mobile and desktop login always worked like that on officewiki. i think that's basically https://phabricator.wikimedia.org/T225814 [16:00:04] OAuth login appears to have broken this morning for dashboard.wikiedu.org . Any obvious reasons why that might have happened? [16:00:08] MatmaRex: ack. I maybe don't get sent office.m links as often as en.m links so was not actively aware. [16:01:09] ragesoss: which wiki does it try to log in against? [16:15:17] someone on wikitech-l just reported API login issues as well [16:16:24] They should use the issue tracker to report bugs :-/ [16:17:12] andre: they probably don't know if it's a bug, them or outage [16:17:31] it seems wider than 1 person though given the few reports in here [16:41:32] @taavi en.wiki [16:41:40] en.wikipedia that is [16:44:08] notably, it is working for outreachdashboars.wmflabs.org (hosted on WM Cloud) but not for externally-hosted dashboard.wikiedu.org [16:45:07] i will open an issue [16:48:04] ragesoss: we changed unconfirmed emails back from null to '' (although that was already a value used for other things before) [16:48:20] no other changes I think, but could be related to the generic session problems [16:49:45] it might be something specific to the dashboard.wikedu.org environment and/or OAuth client, because it errors out even if there is no active session, and does so before redirecting to the login flow. [17:05:03] i think it's the classic problem the server time being off far enough that the timestamp-based aspect of the login process fails [17:05:39] (which i've seen happen to many people with local dev environments before, but this is the first time i've had a production server be 5+ minutes off) [17:09:08] yep, that was it. [17:09:22] thanks! [17:20:12] Isn't NTP enabled by default on pretty much everything these days? [17:21:07] yea [17:24:44] roy649: systemd-timesyncd is used and Wikimedia DNS servers are the time servers for appservers [17:26:01] wikiedu.org is an entirely different organization though [17:30:33] i was very surprised to find that NTP was not enabled by default on our production Linode server.