Topic on Project:Support desk

Hi,

I have a MediaWiki that is set to private and I want a specific user account to be able to programatically signed in and when I browse to the wiki that its automatically signed in.

I followed this post: API:Login but it doesnt tell you what to do after you have logged in and I'm hoping to get some help regarding saving your login to a cookie.

I get a readapidenied error when I try to do a GET token request, I switched to the depricated way of doing it via POST but at least im able to get a token. I now do a login post and I get a return (I'm not sure if this is successful as it shows a different token with a status of "Needs Token".

Any help or links to documentation would be greatly appreciated.

"Being logged in" from a browser's perspective means you have entered valid credentials, and you got an HTTP cookie with a session identifier, and the browser sends back that cookie with the session identifier on all requests to the wiki that tells the server who's the user (this is what maintains the user logged in, until the cookie expires or the session is no longer valid on the server).

If you're able to programatically set a cookie on the user's browser from the same domain as MediaWiki, you'll be good to go. Otherwise, you won't be able to do so. Maybe Extension:Auth remoteuser is an alternative if you can set up the user on the server level.

About the api, if you receive Needs Token, this means you're not sending back the cookie you received from the first POST.

Hi Ciencia,

Thanks for your response. I am using AngularJS, I am just battling to grab to the cookie from the response headers from the first POST. I'm busy looking into how to do this currently.

I can see the cooking on the response header: Set-Cookie: wikidb_session=sd00uqls8o2hi6q7cev6gpg0tjhjbh4t; path=/; HttpOnly

Have any ideas?

All the documentation for API:Login all use request which has been shut down. :(

You can't grab a cookie set with a HttpOnly flag (that's what you've received) from JavaScript. This is a protection to prevent JavaScript from stealing sessions. However, the cookie will get stored on the browser automatically and be used on future request. However this will only be true if the request comes from the same domain and path.

So basically, if you run the JavaScript code on a page on the same domain as MediaWiki, it should work. If you run the JavaScript code on a page on a different domain or subdomain, it won't work.

I don't know, however, what the solution should be. Maybe implement OAuth on your application and change MediaWiki logins to login against that OAuth server (this won't make users logged-in automatically, but they can click a button to log-in without further credentials if they're already logged in in the OAuth application). That's what happens when you use "login with facebook" buttons on other websites, for example.

My IIS server and my Wiki Server are on the same domain. The origin is currently set to localhost as I’m busy testing, which I think is part of the issue. But how does one test when you are developing? we have 3 different levels of security on the wiki, so based on the level of security of the person logged into our SPA that is the level of sites they see in the wiki. With your alternative suggestion, would the process be I log into OAuth from my application, providing a set of credentials and then when the customer is redirected to the wiki they click on Log in and it will automatically log them in with the set of credentials I provided initially?

I have never set up an OAuth system. You may need to install Extension:WSOAuth and develop a class to handle the login system. From what I understand, OAuth not only authenticates users, but also provides a list of user groups or similar, that can be equivalent to MediaWiki user groups. I don't know how easy is to integrate that with your system.

Hi,

I have tackled this again. I moved mediawiki to our web server. I also updated to the latest version of mediawiki which fixed the token issue. So im now using the recommended way to get the token. I have published my code to the webserver so the Orgin is exactly the same.

I added mediawiki as an application under our main site so now the url to get to the wiki is https://application.example.com/wiki

In the web.config on IIS i added Access-Control-Allow-Origin and set the orgin to https://application.example.com (an example) and on the request headers it is exactly the same.

However my response headers is still :

Set-Cookie: UseDC=master; expires=Fri, 03-Apr-2020 14:18:01 GMT; Max-Age=10; path=/; secure; HttpOnly

Set-Cookie: UseCDNCache=false; expires=Fri, 03-Apr-2020 14:18:01 GMT; Max-Age=10; path=/; secure; HttpOnly

So you can now see that it has secure but still has HttpOnly. Is there a setting that i can add in localSettings to white list a domain?

I'm not entirely sure now why its still HttpOnly.

Session cookies must be HttpOnly, otherwise any script on the page could tamper with it.

If you're doing the login to MediaWiki through the application server-side (which would be desirable security-wise), you should capture the cookies in the header and then send them back to your application. That way since you have setup them as path=/ it should work.

The response im getting from the login request is MediaWiki API help page. Is that correct?

The response looks like this:

data: "<!DOCTYPE html>↵<html class="client-nojs" lang="en"

status: 200

headers: ƒ (name)

config: {method: "POST", transformRequest: Array(1), transformResponse: Array(1), url: "https://application.example.com/Wiki/api.php", paramSerializer: ƒ, …}

statusText: "OK"

__proto__: Object

I'm also looking at the cookie under application it seems to have saved the cookie correctly.

It has the wikidb_session cookie, domain is correct, path is "/", HttpOnly and Secure are ticked but SameSite isnt ticked. Does that need to be ticked in order for it to work?

Maybe the path should be "/Wiki" ?

Ok I dont think that return is correct because when i login through the main site manually there are 3 entries in the cookie, wikidbUserID, wikidbUserName and wikidb_session. Whereas on my login only wikidb_session is there.

You should send a format=json, format=xml, etc to get a parseable response instead of the HTML one

Can we pay for someone to remote on and see what im doing wrong?

You can look for someone at Professional development and consulting

Hi Ciencia,

I managed to get it working (Finally) and thanks to all of your help.

So I had to serialise the body and I had to have my Content-Type set to application/x-www-form-urlencoded. Then it worked beautifully.

Kind Regards

Ben