[02:51:29] <wikidatauser>	 !admin
[02:52:54] <Ebe123>	 wikidatauser: need some help?
[02:53:35] <wikidatauser>	  https://www.wikidata.org/w/index.php?title=Q3163141&action=history vandalism Protected plis
[02:54:27] <wikidatauser>	 proteger*
[02:55:00] <wikidatauser>	 proteger por favor 
[02:56:22] <wikidatauser>	 hay admin aqui?
[02:56:51] <wikidatauser>	 hay TAB como en wiki-en o wiki-es?
[02:57:13] <Ebe123>	 I'll post it on the admin noticeboard for you
[02:57:29] <wikidatauser>	 thanks =)
[02:58:18] <Ebe123>	 https://www.wikidata.org/wiki/Wikidata:Administrators%27_noticeboard#Vandalism_on_.7B.7BQ.7CQ3163141.7D.7D
[02:59:06] <wikidatauser>	 ok
[02:59:09] <wikidatauser>	 =)
[02:59:24] <Ebe123>	 glad I could be of some help
[03:00:40] <wikidatauser>	 Bye
[09:58:24] <hoo>	 Lydia_WMDE: aude: Did you manage to resolve the cookie issue stuff?
[10:00:04] <Lydia_WMDE>	 hoo: not solved but lego said he'd look into it
[10:00:19] <hoo>	 Ok
[10:00:28] <hoo>	 Is he on now?
[10:00:38] <hoo>	 The solution is to unset the old cookies via varnish, we did that before
[10:00:48] <Lydia_WMDE>	 ok
[10:00:50] <Lydia_WMDE>	 let me get the ticket
[10:00:52] <Lydia_WMDE>	 one sec
[10:00:54] <Lydia_WMDE>	 then you can comment
[10:01:04] <hoo>	 Nice :)
[10:01:06] <Lydia_WMDE>	 hoo: https://phabricator.wikimedia.org/T109038
[10:02:43] <hoo>	 Lydia_WMDE: Commented
[10:02:49] <Lydia_WMDE>	 thanks!
[10:05:36] <aude>	 hoo: thanks
[10:05:42] <aude>	 how's camp?
[10:06:18] <hoo>	 Awesome! :)
[10:06:22] <hoo>	 You should have joined
[10:06:23] <aude>	 :D
[10:06:29] * aude is moving this weekend
[10:06:41] <aude>	 out of the hostel :)
[10:06:49] <hoo>	 hehe, nice :)
[10:38:04] <addshore>	 aude: no idea why this one is failing.... https://gerrit.wikimedia.org/r/#/c/231509/
[10:38:12] <addshore>	 but I guess thats okay as we dont use it yet....
[10:54:32] <aude>	 addshore: hmm...
[10:54:38] <addshore>	 indeed
[11:31:30] <Lydia_WMDE>	 aude: seen comment in https://phabricator.wikimedia.org/T107319 ? 
[11:46:09] <andre__>	 Lydia_WMDE: out of curiosity: Was there actually communication between https://phabricator.wikimedia.org/T100722#1322620 and closing in https://phabricator.wikimedia.org/T100722#1538951 ?
[11:54:48] <Reedy>	 Anyone know the offending cookie that needs killing? ;)
[11:58:17] <Reedy>	 hoo: ^
[11:58:50] <hoo>	 Not offhand, no
[11:59:01] <hoo>	 It's just the current cookies with a different path
[11:59:23] <hoo>	 but in the end, I don't know
[11:59:37] <hoo>	 I think this notebook is newer than that, so doesn't have the old cookies
[12:35:54] <jzerebecki>	 Reedy: I have the old cookies and can reproduce. I think any cookie for the domain wikidata.org instead of something more specific like www.wikidata.org
[12:36:58] <jzerebecki>	 oh *sigh* we totall forgot m.wikidata.org
[12:37:36] <Lydia_WMDE>	 andre__: not really. the feature was killed though now for all i can tell
[12:41:37] <andre__>	 sigh
[12:42:13] <andre__>	 Lydia_WMDE: if you expected some communication (on what exactly?) I'm happy to be the bad guy pointing that out. If wanted.
[12:42:29] <Lydia_WMDE>	 andre__: aprechiated ;-)
[12:43:09] <bblack>	 hey
[12:43:27] <bblack>	 https://phabricator.wikimedia.org/T109038#1539407
[12:43:51] <bblack>	 ^ I think the problem is the centralauth_Token cookie getting set for "wikidata.org", or still existing there from the past, anyways
[12:44:14] <bblack>	 after deleting it manually, I haven't managed to trigger it to re-appear by any combination of login/logout on wikidata and other wikis
[12:44:47] <bblack>	 (a cookie for wikidata.org will get sent to *.wikidata.org too)
[12:45:32] <bblack>	 but since https://wikidata.org is just a redirect and probably no normal activity other than old links/bookmarks hit it, there's no simple universal fix at the varnish level.
[12:45:51] <bblack>	 if we delete centralauth_Token without stricitly filtering on the Host header, we'll repeatedly kill legit logins
[12:46:12] <bblack>	 if we filter on Host: wikidata.org for the cookie-kill it would DTRT, but then not all visitors will ever make a request to https://wikidata.org/
[12:46:46] <bblack>	 (I think....)
[12:47:08] <bblack>	 it's early in the morning to be sure of anything about how browsers match up an update/delete of a cookie based on the source domain and the domain specified :/
[12:56:28] <bblack>	 it's possible that, from a request to "www.wikidata.org", we can send a cookie delete for "wikidata.org", and it will delete only the wikidata.org version of it and not the www version of it, maybe
[12:56:43] <bblack>	 they overlap for that request in some way, I imagine it's subject to all kinds of browser differences in this case :/
[13:01:50] <Lydia_WMDE>	 bblack: thanks for looking into it! from our side hoo and jzerebecki can probably say most about it
[13:02:09] <Lydia_WMDE>	 they're both at CCCamp though and i don't know how much/when they're around
[13:02:11] <jzerebecki>	 bblack: what is the life time for the central auth token?
[13:02:20] <Lydia_WMDE>	 ah! :D
[13:02:23] <jzerebecki>	 :)
[13:02:54] <bblack>	 good question
[13:03:29] <bblack>	 I think 30d, but there was recent unrelated chatter about raising it to a year
[13:03:33] <bblack>	 I don't think that was merged, yet
[13:04:18] <jzerebecki>	 bblack: can we fix central auth to try both central auth token cookie values instead of failing?
[13:04:46] <jzerebecki>	 I don't see any good solution that is able to delete the cookie
[13:04:59] <jzerebecki>	 assuming getting 2 values is why it is failing
[13:05:18] <bblack>	 I'm not even sure it's getting two values.  it may be that the browser picks one of the two to send
[13:05:36] <bblack>	 I guess we can test that, though
[13:05:44] <bblack>	 https://gerrit.wikimedia.org/r/#/c/230954/ is the 1y expiry thing, not merged yet
[13:10:19] <jzerebecki>	 testing that now...
[13:10:28] <bblack>	 oh you're right I think
[13:10:33] <bblack>	 https://github.com/jshttp/cookie/issues/18 mentions it
[13:10:46] <bblack>	 you supposedly get two values in the cookie string with the same key
[13:11:03] <bblack>	 so yes, perhaps a CentralAuth patch to try both if two values exist and the first fails
[13:11:25] <jzerebecki>	 yea my browser sends two values
[13:11:53] <jzerebecki>	 also had the same problem years ago with another php application
[13:12:11] <bblack>	 although I'm imagining CA uses some standard php or mw library code to get cookie values.  it may not be trivial to get raw access to the string?
[13:12:51] <jzerebecki>	 though we fixed it by adding a prefix to all cookie names
[13:14:31] <jzerebecki>	 I never looked at mediawiki session handling...
[13:15:13] <bblack>	 ah but! the two-values thing should be abnormal and only exist for this broken case
[13:15:31] <bblack>	 so perhaps I could just hack up something in varnish that deletes the CA cookie only if it sees a double-value
[13:15:40] <jzerebecki>	 oh yes.
[13:15:47] <bblack>	 whether that deletes only the wikidata.org variant or deletes both, either way worst case they have to log back in once
[13:16:26] <jzerebecki>	 bblack: it will only work if it deletes the wikidata.org one. otherwise the next try we again get both.
[13:17:02] <bblack>	 I'm assuming if I delete the value with domain=wikidata.org, it will either delete just that one, or kill both
[13:17:13] <jzerebecki>	 so we could do one redirect back to wikidata.org
[13:17:24] <jzerebecki>	 only if there are two values
[13:17:25] <bblack>	 but yes, I guess depending on horrible browser behaviors, it could just delete www.wikidata.org one, but I wouldn't think so
[13:17:38] <bblack>	 hmmm
[13:18:02] <bblack>	 yeah that would be more certain to correct it
[13:18:05] <bblack>	 complex, though
[13:18:19] <bblack>	 let me see how bad it looks if I do the redirect->delete thing
[13:18:36] <bblack>	 (we can send the delete on the response that MW's sending to redirect them back to www.wikidata.org too)
[13:19:02] <jzerebecki>	 yes
[13:19:28] <jzerebecki>	 we can test if the delete without redirect works, to make sure it is not needless complexity.
[13:23:49] <matej_suchanek>	 hi, I need someone with admin/editinteface rights in enwiki
[13:35:45] <bblack>	 jzerebecki: https://gerrit.wikimedia.org/r/#/c/231556/ ?
[13:36:37] <bblack>	 oh I have VCL syntax errors there, fixing
[13:37:49] <bblack>	 PS2 looks better
[13:39:09] <bblack>	 I think in the best case this fixes it (with the user maybe having to reload/relogin after they hit the fix), worst case it deletes the one for www.wikidata.org but not for wikidata.org, in which case the broken users just stay broken, but doesn't affect unbroken users
[13:58:18] <bblack>	 I'm salting the fix attempt around the cluster now, will take a few mins to get it deployed
[13:59:35] <bblack>	 jzerebecki: re: redirect, anything like that starts getting much uglier in terms of varnish complexity
[14:00:14] <jzerebecki>	 bblack: yea I also forgot that this is only the centralauth token, not the session cookie
[14:00:21] <bblack>	 ah right
[14:00:48] <bblack>	 once the salt finishes, since you still have the double-cookie, we can have you hit a page and see what happens to your cookie store
[14:00:54] <bblack>	 (at least for your browser variant heh)
[14:01:45] <bblack>	 ok it's live everywhere now
[14:03:32] <jzerebecki>	 bblack: I think it deleted the www.wikidata.org cookie and then automatically logged me in
[14:03:42] <bblack>	 did it delete both of them?
[14:03:49] <jzerebecki>	 when I vistied https://www.wikidata.org
[14:03:58] <jzerebecki>	 no it didn't, only one
[14:04:14] <bblack>	 heh, so it's the worst possible behavior? it deleted www.wikidata.org but not wikidata.org?
[14:04:36] <bblack>	 ok let me look at fixing this up to use a one-shot redirect
[14:05:44] <jzerebecki>	 bblack: no it actually deleted .wikidata.org so it is exactly fine
[14:06:02] <jzerebecki>	 that was me being confused
[14:06:10] <bblack>	 oh nice
[14:06:20] <bblack>	 so session stayed up, and logout->login worked after?
[14:08:01] <jzerebecki>	 bblack: before your fix: I manually logged out, tried to login, didn't work. after your fix I accessed https://www.wikidata.org it got the cookie delete and was a redirect to the main page. the main page got delivered to me as logged in.
[14:08:26] <jzerebecki>	 retrying
[14:09:10] <jzerebecki>	 login&logout still works as expected.
[14:09:22] <bblack>	 so, fix is probably good enough?
[14:09:44] <jzerebecki>	 bblack: yes we can take it out after 31 days.
[14:09:58] <bblack>	 right, I'll add the commentary on that I should've put in the first patch, + a bug ref
[15:42:21] <addshore>	 JeroenDeDauw: https://github.com/wmde/WikibaseDataModelServices/pull/42
[16:37:53] <andre__>	 Hmm, anybody knows who in WMDE is playing with phab09.wmflabs.org by creating lots of test tickets by (ab)using my user account over there?
[16:38:05] <andre__>	 (I know this isn't Wikidata stuff but if there's a better WMDE channel just tell me)
[16:42:47] <aude>	 andre__: addshore got a lot of mails from the test instance
[16:42:55] <aude>	 he wasn't playing wiht it though and was wondering also
[16:43:27] <addshore>	 yeh, I got somewhere between 300 and 400 emails today :/
[16:43:33] <addshore>	 that went straight to my inbox :/
[17:17:40] <Romaine>	 addshore: somehow you are popular then ;)
[17:28:44] <sjoerddebruin>	 benestar: Didn't you saw my pings? :(
[17:29:07] <benestar>	 sjoerddebruin: nope, sry
[17:29:24] <sjoerddebruin>	 Your references script is not working on certain items.
[17:44:47] <Almondega>	 Oi, algum brasileiro aí?
[21:11:33] <icinga-wm>	 PROBLEM - wikidata.org dispatch lag is higher than 300s on wikidata is CRITICAL: HTTP CRITICAL: HTTP/1.1 200 OK - pattern not found - 1431 bytes in 0.151 second response time
[21:12:25] <sjoerddebruin>	 Hm
[21:13:53] <hoo>	 on it
[21:29:21] <icinga-wm>	 RECOVERY - wikidata.org dispatch lag is higher than 300s on wikidata is OK: HTTP OK: HTTP/1.1 200 OK - 1411 bytes in 0.113 second response time
[23:56:15] <icinga-wm>	 PROBLEM - wikidata.org dispatch lag is higher than 300s on wikidata is CRITICAL: HTTP CRITICAL: HTTP/1.1 503 Service Unavailable - pattern not found - 50727 bytes in 0.082 second response time