Talk:MediaWiki Platform Team/SUL3

What about client preferences? Currently I can turn on dark mode on enwiki, click on the login link, and the page is still dark. Without active support from SUL3, I guess this will break (causing an eye-straining white flash), since accessing the client preferences cookie is also a cross-domain cookie access. A very basic solution would be including the cookie in the URL as a query parameter, which is not nice, but definitely works; is there a nicer solution? —Tacsipacsi (talk) 20:52, 14 January 2025 (UTC)Reply

@Tgr (WMF), @JTweed-WMF, anyone? —Tacsipacsi (talk) 23:19, 22 February 2025 (UTC)Reply

Good question. We could pass along the information the same way other user details are passed (either in the URL or via the token store). But there would have to be some sort of hook mechanism for client preferences so that the information can be plugged back in. Filed as T387093. Tgr (WMF) (talk) 17:00, 23 February 2025 (UTC)Reply

I see that the impact on the Stewards is mentioned around checkuser, but what about Checkusers on individual projects? Login information is often crucial information when performing checkuser. Thanks and best, Barkeep49 (talk) 23:22, 10 March 2025 (UTC)Reply

This should have no impact - even though the login is done on a separate domain it still uses the config of the local wiki and thus the CheckUser logs should go to the right place. * Pppery * _{it has begun} 23:26, 10 March 2025 (UTC)Reply

I cannot log into Wikipedia now, even with cookies enabled and ad blocker turned off. I get this pink-box message:

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form. You may receive this message if you are blocking cookies.

What in god's name have you broken, and why? 2601:645:600:39A0:4D3D:AF83:80AD:509E 03:28, 31 March 2025 (UTC)Reply

I just got kicked out and can't re-login too.

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form. You may receive this message if you are blocking cookies.

--130.105.198.28 03:36, 31 March 2025 (UTC)Reply

Same here. 2A00:23C8:F506:A101:6400:908:8332:5DEF 03:40, 31 March 2025 (UTC)Reply

Note: The problem has been resolved. SCP-2000 (talk) 14:38, 31 March 2025 (UTC)Reply

And this incident is not related to SUL3. * Pppery * _{it has begun} 01:55, 1 April 2025 (UTC)Reply

I was hoping the annoying cookie errors would finally be gone, but I still see more than 200 cookie errors on login to Sul3, and 14 cookie errors on each page load. And yes, I'm a wiki-dev — I often open DevTools, so it does bother me when I see errors. Reported details here: phab:T390830. Nux (talk) 09:23, 2 April 2025 (UTC)Reply

Each day I try to log into en wp, I am asked to verify with a code in order to access my account. This started on 23 May 2025 and it´s getting kind of annoying. So whatever you changed around that day, maybe you should look into it again. Alexpl (talk) 09:56, 27 May 2025 (UTC)Reply

I am also asked to verify with a code in order to access my account every time I try to log in. And I also think this is annoying. JimRenge (talk) 17:18, 28 May 2025 (UTC)Reply

@JimRenge @Alexpl This does sound annoying, and in general that's not supposed to happen every time you try to log in. Are you logging in from different IP addresses and/or devices each time? EMill-WMF (talk) 01:00, 29 May 2025 (UTC)Reply

I get a new IP almost every day, but I did so for the last 10 years, so that should not be related to this "new" problem. Other stuff: Firefox, with http/https wikipedia/wikimedia exempt for cookies, which I also use for years now. Alexpl (talk) 09:43, 29 May 2025 (UTC)Reply

@Alexpl If you're allowlisting cookies, check to see if you're allowing loginnotify_prevlogins, which is set by LoginNotify, which is then used to determine whether a device has been logged in from before. That's there specifically to avoid the situation of repeatedly challenging users whose IPs are changing but who are using the same device to log in. EMill-WMF (talk) 13:42, 29 May 2025 (UTC)Reply

Sure did - I get a verification code via mail, then I log into Wikipedia and get a loginnotify mail instantly. Every day. That´s not it. Alexpl (talk) 16:23, 29 May 2025 (UTC)Reply

Thank you! I have realized that my choice in Firefox settings/Privacy & Security "Delete cookies and site data when Firefox is closed" caused these problems. I have allowed auth.wikimedia.org, wikimedia.org and wikipedia.org in Firefox settings/Privacy & Security/Cookies and Site Data/manage exceptions and it works. I have no more problems to log in and I get no more warning e-mails about someone logging into my account or requests for login verification code. JimRenge (talk) 09:15, 30 May 2025 (UTC)Reply

So Firefox lets "Cookies and site data" via "Manage Exceptions" pass certain cookies, who are then deleted anyway by the "history settings" with the "Never remember history"-feature enabled? Disabeling the history thing works, but seems like a hotfix. Alexpl (talk) 14:06, 31 May 2025 (UTC)Reply

Some users prefer not to save cookies on their browser. Myself, I prefer to edit using private browsing sessions, as my browser history will become utterly cluttered otherwise. Is there a sound policy-based reason not to allow users to opt out of these email confirmations each and every time their IP changes without cookies saved? --Paul 012 (talk) 11:36, 29 June 2025 (UTC)Reply

Okay, I've found meta:Wikimedia Foundation/March 2025 discovery of account compromises, which explains the why behind the change, but still, users should be able to opt out. --Paul 012 (talk) 11:51, 29 June 2025 (UTC)Reply

If I understand Help:Extension:EmailAuth correctly, this only happens if you have cookies disabled AND you are making requests to login from IP ranges that are known to have lots of problems with hackers. That can be regional or due to VPNs, or due to IP sharing on large mobile networks and many other reasons. Unfortunately, there doesn't seem to be another way to halt this problematic behavior other than using something like email verification. If you want to avoid the emails, you might consider applying for Two-factor authentication via Steward_requests/Global_permissions, which would allow you to skip the email verification step. Be aware however that losing your 2FA credentials (by for instance losing your phone) can make your account unrecoverable, so you really need to understand how to make the proper backups and how to store recovery codes. —TheDJ (Not WMF) (talk • contribs) 08:40, 1 July 2025 (UTC)Reply

Thanks for the response. It's unfortunate that allowing users to opt out has not been / is not being considered. Paul 012 (talk) 16:45, 1 July 2025 (UTC)Reply

I was trying to get me verification code on my email, but it's not apparing. Mr.Shadow514 (talk) 03:38, 16 October 2025 (UTC)Reply

@Mr.Shadow514: You can check the spam folder. SCP-2000 (talk) 18:08, 13 November 2025 (UTC)Reply