Get rid of ss0- SameSite cookie prefix hack
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	tstarling
	Aug 23 2023, 7:38 AM

Description

The Chrome devs added support for SameSite cookie options before the spec was finalized. Then they changed the spec in an incompatible way and implemented the new spec. Then they updated Chrome again in a way which breaks all sites sending cookies without the SameSite option. The end result is that you can choose to either support old Chrome or new Chrome, there's no way to send a single cookie which will work in both kinds of browser.

So for T252236 we added duplicate cookies prefixed with ss0, which work on old Chrome but not new Chrome, while the unprefixed cookies work on new Chrome.

Removing the cookies would reduce request sizes and would simplify the relevant code.

In T252236#6273311 I reported usage statistics for the affected browsers, which I can now update:

Browser	2020-06 page views	2023-08 page views
iOS 12	2.5%	0.20%
Chrome 51-66	0.3%	0.18%
Safari on Mac OS 10.14	0.4%	0.04%

How do we feel about breaking login for 0.41% of users?

Details

Subject	Repo	Branch	Lines +/-
Remove $wgUseSameSiteLegacyCookies	mediawiki/core	master	+4 -40
Stop using $wgUseSameSiteLegacyCookies	mediawiki/core	master	+16 -92
Disable SameSite legacy cookies	operations/mediawiki-config	master	+1 -14

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T255366 SameSite cookie issues
		Resolved		tstarling	T344791 Get rid of ss0- SameSite cookie prefix hack

Event Timeline

tstarling created this task.Aug 23 2023, 7:38 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 23 2023, 7:38 AM

Since it is a configuration setting ($wgUseSameSiteLegacyCookies), we may need three steps to remove it:

deprecate it
turn off in production
remove it

Old Chrome interprets unknown SameSite values as Strict; a SameSite=Strict session cookie will break all cross-site features, including central login, and will result in somewhat erratic behavior (when arriving to the wiki from an external link, you get an anonymous page view but upon reload you will be logged in); but local login and all local features should still work. So IMO inflicting that on half percent of our userbase (probably less as I would expect logged-in users to use more modern browsers on average than readers) doesn't seem to me like a big deal.

Hm, https://www.chromium.org/updates/same-site/incompatible-clients/ says that old Safari will interpret SameSite=None/Lax as SameSite=Strict but old Chrome will reject the cookie entirely. So for 0.18% of users we'd properly break login. Still acceptable IMO.

Tgr added a parent task: T255366: SameSite cookie issues.Jan 9 2024, 8:49 PM

Change 989265 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[operations/mediawiki-config@master] Disable SameSite legacy cookies

https://gerrit.wikimedia.org/r/989265

gerritbot added a project: Patch-For-Review.Jan 10 2024, 4:23 AM

What's the effect of this in older browser? This may need a user notice. Also, we may want to deprecate (and eventually remove) it from MediaWiki.

Note if user can not log in completely, we may want to remove these browser from Grade C support. However login may be working without $wgCookieSameSite (which is default in MediaWiki installations), just not in Wikimedia wikis.

In T344791#9448772, @Bugreporter wrote:

What's the effect of this in older browser?

In Chrome 51-66, users will not be able to log in. In the other old browsers, users may have to log in to each domain separately.

In T344791#9448774, @Bugreporter wrote:

Note if user can not log in completely, we may want to remove these browser from Grade C support. However login may be working without $wgCookieSameSite (which is default in MediaWiki installations), just not in Wikimedia wikis.

FWIW, Grade C support for Chrome is 31+ (2013 or later). Chrome 67+ would be 2018 or later. That's a bit more recent than most other browsers (usually 2015 or later) but still it's five years old which, given Chrome's aggressive updating, seems like a lot. If one can believe Wikipedia, the only platform where it's not possible to upgrade to 67+ are Windows Vista but you can get to 51 is iOS 9.x.

But yes, even if the functionality is removed from core, it won't affect MediaWiki sites with default settings.

Re: Tech News/user-notice - What wording would you suggest as the content, and When should it be included? Thanks!
My best guess is something like this. If you can simplify/improve this, or fix any errors and then confirm it is good, that'd be appreciated:

Future changes

In the future [??], it will not be possible to login to Wikimedia wikis from some specific old versions of the Chrome browser (versions 51–66, released between 2016–2018). Additionally, users of iOS 12, or Safari on Mac OS 10.14, may need to login to each wiki separately.

Quiddity moved this task from To Triage to Not ready to announce on the User-notice board.Jan 11 2024, 7:56 PM

Sounds good to me. @tstarling do you have a target date?

How about January 17?

Changes later this week

Starting on January 17, it will not be possible to login to Wikimedia wikis from some specific old versions of the Chrome browser (versions 51–66, released between 2016–2018). Additionally, users of iOS 12, or Safari on Mac OS 10.14, may need to login to each wiki separately.

Quiddity moved this task from Not ready to announce to In current Tech/News draft on the User-notice board.Jan 12 2024, 12:10 AM

Quiddity awarded a token.

Izno subscribed.Jan 16 2024, 4:08 AM

Change 989265 merged by jenkins-bot:

[operations/mediawiki-config@master] Disable SameSite legacy cookies

https://gerrit.wikimedia.org/r/989265

Mentioned in SAL (#wikimedia-operations) [2024-01-16T23:55:48Z] <tstarling@deploy2002> Synchronized wmf-config/CommonSettings.php: Disable wgUseSameSiteLegacyCookies T344791 (duration: 09m 19s)

Mentioned in SAL (#wikimedia-operations) [2024-01-17T00:03:43Z] <tstarling@deploy2002> Synchronized wmf-config: T344791 related cleanup (duration: 06m 22s)

Maintenance_bot removed a project: Patch-For-Review.Jan 17 2024, 12:30 AM

Change 991101 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/core@master] Remove $wgUseSameSiteLegacyCookies

https://gerrit.wikimedia.org/r/991101

gerritbot added a project: Patch-For-Review.Jan 17 2024, 12:49 AM

The next step may be to deprecate the setting in core MediaWiki.

Change 991104 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/core@master] Remove $wgUseSameSiteLegacyCookies

https://gerrit.wikimedia.org/r/991104

FYI, one (experienced) user with chrome 65 immediately encountered this yesterday.

https://en.wikipedia.org/w/index.php?title=Wikipedia:Teahouse&oldid=1196587580#I_can't_log_into_wikipedia

Quiddity moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Jan 19 2024, 12:46 AM

Umherirrender mentioned this in T355596: Prolonging sign-in/login at Wikipedia and Commons no longer possible on Safari 12 via iOS 12.Jan 22 2024, 8:36 PM

Per T355596: Prolonging sign-in/login at Wikipedia and Commons no longer possible on Safari 12 via iOS 12 this also reduces the central session lifetime to one day in affected non-Chrome browsers (because CentralAuth has this weird authentication flow where the login mostly happens locally but the "remember me" flag is set in a separate call to loginwiki). They also end up on a Special:CentralLogin error page.

We should probably do some UA sniffing and show a message telling the user to upgrade.

Change 991101 merged by jenkins-bot:

[mediawiki/core@master] Stop using $wgUseSameSiteLegacyCookies

https://gerrit.wikimedia.org/r/991101

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.18; 2024-02-13).Feb 7 2024, 2:00 AM

In T344791#9478881, @Tgr wrote:

We should probably do some UA sniffing and show a message telling the user to upgrade.

On second thought, I don't think it's worth the effort. The code wouldn't be very complicated (Google has some sample code for it here, or in readable form here) but annoying to test (it would require an iOS device or emulator, and two wikis with different registrable domains with CentralAuth set up between them), and it doesn't really make sense to remove the B/C code to actually handle these cookies and then re-add B/C code that tells the user we are not handling them. And all we could do is to say "you need a newer browser", which isn't all that helpful.

The effect would be minimal anyway - there are about 100 central login session losses per day, and the SameSite B/C change had no visible impact on their volume: