Not sure if this is the same issue, but since several weeks I get automatically logged out of all Wikimedia projects every day, sometimes several times per day. I tried in different browsers, cleared cookies and browser settings, hasn't helped me. User:Spinster

Top-level autologins start increasing around Aug 8-10 and gradually continue until Sep 8 or so. That suggests there is something wrong with (local or central) session objects written after Aug 8 (or with the session cookies, but those are easier to inspect and look fine). So as old (correct) session objects expire, the problem becomes more frequent. 30 days is the expiry for for most authentication cookies when "keep me logged in" is not used; presumably most people don't use it, that's why the change is gradual. At least that's the only hypothesis I can come up with that fits the data; I think problems in most other components would result in a more sudden spike in autologins. But it doesn't explain why would users who do check "keep me logged in" be affected; they get cookies with 365 day expiry, and I don't think there is anything else involved with an expiry of 30 days.

This just happened to me again, on my desktop. What makes this one different from others is that I saw it happen in real-time. In all the previous examples, I'd come back to my machine after not using it for a while and found I was logged out. In this case, I clicked on some link and was taken to

https://en.wikipedia.org/w/index.php?returnto=Special%3AWatchlist&returntoquery=&title=Special:UserLogin&warning=watchlistanontext&centralAuthAutologinTried=1&centralAuthError=Not+centrally+logged+in

Hmmm, I don't remember exactly, but I guess from that URL, the link I must have clicked on was to view my watchlist.

I see in my browser console:

7Unchecked runtime.lastError: The page keeping the extension port is moved into back/forward cache, so the message channel is closed.Understand this error
Unchecked runtime.lastError: The page keeping the extension port is moved into back/forward cache, so the message channel is closed.Understand this error
Unchecked runtime.lastError: The page keeping the extension port is moved into back/forward cache, so the message channel is closed.Understand this error
Unchecked runtime.lastError: The page keeping the extension port is moved into back/forward cache, so the message channel is closed.Understand this error
Unchecked runtime.lastError: The page keeping the extension port is moved into back/forward cache, so the message channel is closed.Understand this error
Unchecked runtime.lastError: The page keeping the extension port is moved into back/forward cache, so the message channel is closed.Understand this error
Unchecked runtime.lastError: The page keeping the extension port is moved into back/forward cache, so the message channel is closed.Understand this error
Unchecked runtime.lastError: The page keeping the extension port is moved into back/forward cache, so the message channel is closed.

I'm logged out of commons and wikidata, but still logged into wikitech.

Here's my (sanitized) cookies:

In T372702#10215541, @Mondo wrote:

Just got logged out again, this time on Chromium (Arch Linux). I was logged in a few hours ago still, but now I got logged out all of a sudden.

And yet again I'm logged out on Chromium, just a few days later. This issue is really getting on my nerves now.

@Tgr
I’ve been logged out two times within the last 3 days, and I’ve noticed a common pattern. It usually happens after I x out the tab. Yes, I did click remember me.

I think its worth something looking into.

Also, I wonder if this is happening to Chromium users only. Does anyone here have this problem on Firefox?

Plus the fact that it is more common with Chromium users is quote odd. I have a feeling it is related to https://phabricator.wikimedia.org/T374184 . However, I don’t have said plugin mentioned in the ticket which is kind of strange.

In T372702#10223446, @Reader_of_Information wrote:

Also, I wonder if this is happening to Chromium users only. Does anyone here have this problem on Firefox?

Yes. I commented above that I use both. Today (some time between 12:37 and 15:20) I was logged out again. I made my most recent edit and read in Firefox and then returned to Firefox a previously opened tab in Firefox to find I'd been logged out. I have opened and closed multiple tabs in both browsers since I was previously logged out. I think I've only read en.wp and Wiktionary in the most recent spans between logouts.

I also commented that I experience this in multiple browsers, including Firefox.

I know this is occurring on English Wikipedia, Wikidata, Wikitonary, but I haven’t heard of any of this occurring on the other language wikis. Does anyone know of such is occurring on there?

In T372702#10223506, @Reader_of_Information wrote:

I know this is occurring on English Wikipedia, Wikidata, Wikitonary, but I haven’t heard of any of this occurring on the other language wikis. Does anyone know of such is occurring on there?

It happened for me on Commons and Wikidata as well, which are not language based wikis.

Hmmmm. Yeah I’m aware but I’m wondering this because if this isn’t occuring on the French wiki for example and the codes are not centralized for each wiki, I wonder if the debuggers could try to find what code different there is and thus find the solution to this problem. Of course its like finding a needle in a haystack but I mean what other solutions are there?

Because although the login system is centralized, that does not mean that how each wiki handles the login system is the same. I mean the fact that there are no reports from these wikis is kind of strange.

In T372702#10223506, @Reader_of_Information wrote:

I know this is occurring on English Wikipedia, Wikidata, Wikitonary, but I haven’t heard of any of this occurring on the other language wikis. Does anyone know of such is occurring on there?

I have commented several times that I experience it on the Dutch Wikipedia, Wikidata and Commons. So yes, other language wikis as well, because Dutch.

Alright. Just wanted to ask. 👍

In T372702#10223506, @Reader_of_Information wrote:

I know this is occurring on English Wikipedia, Wikidata, Wikitonary, but I haven’t heard of any of this occurring on the other language wikis. Does anyone know of such is occurring on there?

For me it happen in every wiki, except metawiki. I wondered, while I'm logged out from every wiki, but haven’t encountered any problems with the meta wiki. Maybe something wrong with SUL!?

I use basically Basque wikipedia and only on Firefox, so is not limited to Chrome and English.

Yes, it's a global problem. I got these problems with frwiki, nlwiki, dewiki, enwiki, pflwiki and more, but also commonswiki, wikidatawiki, metawiki and test2wiki. I use several browsers like Edge, Chromium and Firefox mobile and desktop on Windows 10 and Windows 11. It appears that the type of browser, operating system, or type of wiki doesn't matter at all. I always check the "stay logged in" option ...

... and maybe important or without matter: I use 2FA login.

Suggestion: as this affects many users, a summary of the situation (what is known and what is investigated) should be posted in the task description. Thank you in advance!

Strangely enough, today I was logged out from Meta, but not from Basque Wikipedia. I needed to log again at Meta, with 2FA, but I wasn't logged out from euwiki, as usually happens.

In T372702#10228296, @Theklan wrote:

Strangely enough, today I was logged out from Meta, but not from Basque Wikipedia. I needed to log again at Meta, with 2FA, but I wasn't logged out from euwiki, as usually happens.

Theklan, indeed, it's not new: sometimes I also become logged out from a wiki of the one language but stay logged in in a wiki of the other language. Really, this sounds a bit weird! But I noticed this too. But only within this affected timespan since August.

Change #1081441 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] SessionManager: Add more logging when unpersisting invalid sessions

https://gerrit.wikimedia.org/r/1081441

In case it's helpful, I've accidentally discovered that actively logging out doesn't prevent this from happening. Yesterday (18 October) I misclicked and logged out at ~18:35, logging back in straight away. Today (19 October) I was logged out by this bug at some point between 09:42 and 11:36.

Change #1081967 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Log unexpected central session lookup misses

https://gerrit.wikimedia.org/r/1081967

@Tgr It is extremely annoying when the logging out happens to working bot accounts, here user:CactusBot of user:Cactus26 . The fact that the logged out bot account continues to edit under an IP and then without bot flag is often very problematic. I think the solution of this task should be given higher priority and include sprints.

see: https://de.wikipedia.org/wiki/Spezial:Beitr%C3%A4ge/2003:DF:273F:2100:291B:1A3:5071:E6D4
see: https://de.wikipedia.org/wiki/Benutzer_Diskussion:Doc_Taxon#Bot%20unangemeldet?

Change #1081967 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Log unexpected central session lookup misses

https://gerrit.wikimedia.org/r/1081967

Change #1081441 merged by jenkins-bot:

[mediawiki/core@master] SessionManager: Add more logging when unpersisting invalid sessions

https://gerrit.wikimedia.org/r/1081441

Change #1082464 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.43.0-wmf.28] SessionManager: Add more logging when unpersisting invalid sessions

https://gerrit.wikimedia.org/r/1082464

Change #1082465 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.43.0-wmf.28] Log unexpected central session lookup misses

https://gerrit.wikimedia.org/r/1082465

In T372702#10252871, @doctaxon wrote:

@Tgr It is extremely annoying when the logging out happens to working bot accounts, here user:CactusBot of user:Cactus26 .

I would be surprised if that would be the same issue. Not strictly impossible, but the way bots and browsers authenticate has more differences than similarities.
Do you know what code that bot is running?

The fact that the logged out bot account continues to edit under an IP and then without bot flag is often very problematic.

In general, bots making edits should use assertuser.

I think the solution of this task should be given higher priority and include sprints.

I'm sorry this bug has dragged on for months, that was a misjudgement on my behalf. But right now the problem isn't lack of priority (it has been in our sprint for a couple weeks) but not having good ideas on what to do. Hopefully the new logging will capture something revealing.

Change #1082464 merged by jenkins-bot:

[mediawiki/core@wmf/1.43.0-wmf.28] SessionManager: Add more logging when unpersisting invalid sessions

https://gerrit.wikimedia.org/r/1082464

Change #1082465 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.43.0-wmf.28] Log unexpected central session lookup misses

https://gerrit.wikimedia.org/r/1082465

Mentioned in SAL (#wikimedia-operations) [2024-10-23T20:50:10Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1082464|SessionManager: Add more logging when unpersisting invalid sessions (T372702)]], [[gerrit:1082465|Log unexpected central session lookup misses (T372702)]]

Mentioned in SAL (#wikimedia-operations) [2024-10-23T20:52:43Z] <tgr@deploy2002> tgr: Backport for [[gerrit:1082464|SessionManager: Add more logging when unpersisting invalid sessions (T372702)]], [[gerrit:1082465|Log unexpected central session lookup misses (T372702)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Mentioned in SAL (#wikimedia-operations) [2024-10-23T21:05:18Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1082464|SessionManager: Add more logging when unpersisting invalid sessions (T372702)]], [[gerrit:1082465|Log unexpected central session lookup misses (T372702)]] (duration: 15m 07s)

I have added some extra logging which is not very privacy-friendly and I don't want to keep it around longer than I have to; if you experience any logout issues in the next few days, could you please comment with an approximate timestamp of when it happened? Thanks!

@Tgr: I, user:Doc_Taxon, have been logged out from all existing wikis and commons and wikidata approximately between 10 and 14:51 UTC, 2024-10-24 , without clicking log out or doing anything similar.

and logged in again 14:58 UTC

I was logged out *again* on Chromium a few hours ago.

@Mondo: is Mondo your Wikipedia account username too?

@doctaxon Yes, it is.

@everybody: If you experience a logout in the next few days, please provide us with the approximate timestamp including the time zone and your Wikipedia username. Thank you

I was logged out at some point between 0814 and c. 1945 UTC yesterday (23 October). Sorry I can't be more precise but I was out all day so the logout happened either while I was away or on one of my first page loads after returning. I most recently logged in previously at circa 1136 on 19 October after a previous unrequested logout. My username is Thryduulf.

I've just been logged out again (circa 21:30 UTC 26 October). I was reading (and made a reply) in Chromium and then switched to Firefox and reloaded a page that was already open and found I'd been logged out.
My edit was a 21:27 UTC I think I (re)loaded a page after that but I might just have read ones I'd opened previously. I logged in again at approximately 21:32 UTC.
My username is still Thryduulf

@Tgr: As with Thryduulf, I have repeatedly experienced that the logout mostly (but not always) occurred when switching browsers or changing between browser and mobile. I think this might be an important point in investigating the cause.

@Thryduulf : Was that just random, or does the logout always occur so frequently for you?

@Tgr: Okay and just now, approx. 10 minutes ago, I have been logged out on all browsers – but only Commons and Wikidata and meta (all the wikimedia.org and wikidata.org project pages), but not at all the wikipedia.org project pages (I'm still logged in there, also after refresh). And I get no GlobalAuth login opening Wikidata and Commons.

A login with https://meta.wikimedia.org/wiki/Special:UserLogin logged me in to all the wikimedia.org and wikidata.org project pages again but didn't harm the pre-existing login at the wikipedia.org project pages.

Now I'm logged out again on Commons in Firefox on Arch Linux.

@doctaxon It seems to be happening every 2-3 days on average:
(all times UTC)

• 8 October shortly before 20:15
• 10/11 October between 22:43 and 00:05
• 12 October between 12:37 and 15:20
• 15 October between 16:06 and 19:32 - logged out on en.wp and commons but not on Meta; tried to log in on en.wp but got an error saying I was already logged in
• [18 October explicitly logged out and back in at 10:34]
• 19 October between 09:42 and 11:36
• 23 October between 08:14 and c. 19:45
• 26 October between 21:27 and 21.:32

I haven't been logging which browser I was using at the time, but I have multiple tabs open to en.wp in both firefox and chromium, multiple meta open in chromium and at least one Commons tab open in firefox. I open and close tabs to all three and also wiktionary regularly in both browsers, and switch between them very frequently. I don't use my Thryduulf login on mobile and haven't experienced the issue with my Awkward42 login that I use primarily on mobile.

Your mention of changing browsers reminded me there is a ticket reminded me that there is an ticket that has been open a couple of years relating to increased security in browsers interfering with SUL login propagation. I haven't found that ticket when searching but I did find T345249 which begins

tl;dr CentralAuth autologin (the ability to log in on one wiki and be also logged in everywhere else without having to enter credentials again on every site) has been significantly degraded to a non-trivial fraction of our users due to browsers' anti-tracking measures, and will probably be degraded for everyone by 2024 summer.

Given these problems date from circa August 2024 I wonder if there is a connection?

Just got logged out a moment ago (call it 27 October 1649 UTC) . I had been reading and editing normally for most of the day, and then when I clicked on a link I was suddenly no longer logged in. I'm not seeing anything of interest in my browser's javascript console.

My experiences related to this problem:
I'm using svwiki and wikidata both on PC and mobile. I have never been logged out on the mobile (IOS/Safari), but since approx one month I get frequently logged out from svwiki. I'm using Edge (the new one), ticked "Keep logged in". I'm currently using 2FA, but the unwanted logouts have appeared both with and without 2FA. I have got a message that someone has tried to login to my account and failed many times. (I'm admin at svwiki so maybe I attract naughty guys.) The logouts doesn't happen after each restart of PC, it really feels random.

I just had the weird behaviour where my account is still logged in but did perform an edit logged out, see T378413.

Change #1083896 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] Revert "SessionManager: Add more logging when unpersisting invalid sessions"

https://gerrit.wikimedia.org/r/1083896

Change #1083896 merged by jenkins-bot:

[mediawiki/core@master] SessionManager: Remove extra logging when unpersisting invalid sessions

https://gerrit.wikimedia.org/r/1083896

@Tgr: I have been logged out again between 12:00 and 15:00 UTC today. User name: Doc_Taxon

Just happened to me again. Approximately 14:24 UTC.

I've just been logged out again, it happened some time between 12:36 and 13:10 UTC today (4 November). Switching browsers was not a factor this time, I made an edit in Firefox then went and did some stuff in other Firefox tabs, then came back to a Wikipedia tab I'd left open, clicked edit and found I'd been logged out.

I was also logged out on desktop this morning, last logged in views would have been around 03:00 UTC, first request this morning was a few minutes ago (15:25 UTC)

And again this morning. 1401 UTC is when I noticed it.

@Tgr: Can it be possible that this is not a cookie bug but any malware or virus accessing the session cookies?

And another logout, at some point between 15:19 and 18:36 UTC today 7 November.

1420 UTC this morning.

I have become logged out again between 23:00 and 9:30 UTC, but only on desktop browser, not mobile. User name: Doc_Taxon

How is it even possible that one can be logged out only on the computer, but not simultaneously on the smartphone?

I've noticed some odd behaviour lately, which may or may not be related, but I'll mention it just in case.
I normally have a persistent login to en.wikipedia.org ("Keep me logged in ...") and it generally works - if I start the browser then go to https://en.wikipedia.org/wiki/Special:Watchlist. But today, if I close my browser then click on a link to a Wikipedia page that I had saved on my desktop, or a link to a Wikipedia article in my e-mail program (Thunderbird) the browser opens on the page but appears to NOT be logged in. If I go to another random page I still appear not logged in. But if I then go to https://en.wikipedia.org/wiki/Special:Watchlist (which requires me to be logged in) I appear to be logged in again (without entering username and password).
This happens every time at the moment. I can't say how often it has been doing this, because usually I open the browser first rather than following a link to a Wikipedia page from something other than the browser (eg link on desktop, or in e-mail client) when the browser is not already running.

Environment: Firefox 115.17.0esr, Windows 7

I just logged out of Wikipedia, cleared the browser cache and cookies (using Firefox's "forget about this site" from History), logged back in - and now I can't repeat the problem any more. So maybe there was just something weird about my machine's stored cookies. But perhaps other users having the "getting logged out" problem could try the same thing (close all browser instances, click on link on Desktop, check if logged in, go to watchlist) to see if they can replicate it.

And 1513 UTC this morning.

Could I get a status update on this? I sit on the Ombuds Commission. While we have not officially taken this up as a case, we have discussed it informally since it has the potential to lead to a user's IP address being leaked. The OC is charged with monitoring infringements of the WMF privacy policy and our purview includes being able to "suggest suitable changes to policies or software", hence our interest in this particular issue.

In T372702#10143809, @kostajh wrote:

This task is a concern for Temporary accounts project, in that once a user is logged out of their temporary account, there's no way to log back into it. Is it possible to instrument how often these unexpected logouts are happening, bucketed for named and temporary accounts?

I would consider this task a blocker for deployment of temporary accounts past the minor pilot wikis unless someone can show that it doesn't affect temporary accounts for some reason. We'll get (and have started to get) enough complaints about active misuse of multiple temporary accounts without needing to make it even easier to do unintentionally.

UTC 19:00
I was working in svwiki and wikidata (Edge, Windows 10). I clicked in Wikidata on a link to https://k8s-status.toolforge.org/namespaces/tool-deltabot/. No problem. BUT, I got logged out from svwiki, but not from wikidata. I'm still logged in on my mobile.

EDIT:
I tried the same thing again. I stayed logged in. Can be a coincidence that it happend when I clicked on a link to toolforge.

@Tgr could I (politely) bug you for a status update?

1506 UTC, I just had it happen to me on the fly. I was logged in, went to respond to a comment using the "[reply]" link, and found myself logged out when I went to save my edit.

In T372702#10329040, @RoySmith wrote:

1506 UTC, I just had it happen to me on the fly. I was logged in, went to respond to a comment using the "[reply]" link, and found myself logged out when I went to save my edit.

I sometimes have Wikidata indicating that i'm logged out while saving edits, despite still being logged in. Refreshing the page works in my case.

"I sometimes have Wikidata indicating that i'm logged out while saving edits, despite still being logged in."

In this case, I was clearly logged out. When I opened another window in parallel with the first one, it showed I was logged out. When I reloaded the page in the first window, it also showed I was logged out.