CSteipp has uploaded a new change for review.
https://gerrit.wikimedia.org/r/80784
Change subject: Set CentralAuth cookies with correct security
......................................................................
Set CentralAuth cookies with correct security
Updated to work the same as I08f67b35f355ef193ae86cb9cca3799e247ead4e
Account for prefershttps pref, wfCanIPUseHTTPS, and if the user came
from an http/https url before the login form.
Change-Id: I67e148b06cbcb4fdb0a589ea6322fb672c4ffc78
---
M CentralAuthHooks.php
M specials/SpecialCentralAutoLogin.php
M specials/SpecialCentralLogin.php
3 files changed, 35 insertions(+), 25 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/CentralAuth
refs/changes/84/80784/1
diff --git a/CentralAuthHooks.php b/CentralAuthHooks.php
index 6ff447a..5987c76 100644
--- a/CentralAuthHooks.php
+++ b/CentralAuthHooks.php
@@ -426,8 +426,18 @@
// Determine the final protocol of page, after login
$finalProto = $request->detectProtocol();
+ $secureCookies = ( $finalProto === 'https' );
+
if ( $wgSecureLogin ) {
- $finalProto = $user->getBoolOption(
'prefershttps' ) ? 'https' : 'http';
+ $finalProto = 'http';
+
+ if ( $request->getBool( 'wpForceHttps', false )
||
+ ( $user->getBoolOption( 'prefershttps'
) && wfCanIPUseHTTPS( $request->getIP() ) )
+ ) {
+ $finalProto = 'https';
+ }
+
+ $secureCookies = ( ( $finalProto === 'https' )
&& $user->getBoolOption( 'prefershttps' ) );
}
// When POSTs triggered from Special:CentralLogin/start
are sent back to
@@ -441,8 +451,8 @@
'remember' => $request->getCheck(
'wpRemember' ),
'returnTo' => $returnTo,
'returnToQuery' => $returnToQuery,
- 'stickHTTPS' => $user->getBoolOption(
'prefershttps' ),
- 'finalProto' => $finalProto,
+ 'stickHTTPS' => $secureCookies, // cookies
set secure or not (local CentralAuth cookies)
+ 'finalProto' => $finalProto, // final page
http or https
'type' => $request->getText( 'type' )
);
@@ -454,8 +464,9 @@
'name' => $centralUser->getName(),
'guid' => $centralUser->getId(),
'wikiId' => wfWikiId(),
- 'finalProto' => $finalProto,
- 'currentProto' => $request->detectProtocol()
+ 'secureCookies' => $secureCookies, // (bool)
cookies secure or not
+ 'finalProto' => $finalProto, // http or
https for very final page
+ 'currentProto' => $request->detectProtocol()
// current proto (in case login is https, but final page is http)
);
wfRunHooks( 'CentralAuthLoginRedirectData', array(
$centralUser, &$data ) );
$wgMemc->set( $key, $data, 60 );
diff --git a/specials/SpecialCentralAutoLogin.php
b/specials/SpecialCentralAutoLogin.php
index 0375cae..3aacac6 100644
--- a/specials/SpecialCentralAutoLogin.php
+++ b/specials/SpecialCentralAutoLogin.php
@@ -75,10 +75,7 @@
$this->getUser()->saveSettings();
}
- $secureCookie = null;
- if ( $centralSession['finalProto'] == 'http' ) {
- $secureCookie = false;
- }
+ $secureCookie =
$centralSession['secureCookies'];
$centralUser->setGlobalCookies( $remember,
false, $secureCookie, $centralSession );
$this->doFinalOutput( true, 'success' );
} else {
@@ -197,7 +194,8 @@
$memcData += array(
'userName' => $centralUser->getName(),
'token' => $centralUser->getAuthToken(),
- 'cookieProto' => $centralSession['finalProto'],
+ 'finalProto' => $centralSession['finalProto'],
+ 'secureCookies' =>
$centralSession['secureCookies'],
'remember' => $centralSession['remember'],
'sessionId' => $centralSession['sessionId'],
);
@@ -263,13 +261,12 @@
// Set central cookies too, with a refreshed sessionid.
Also, check if we
// need to override the default cookie security policy
- $secureCookie = null;
- if ( $memcData['cookieProto'] == 'http' ) {
- $secureCookie = false;
- }
+ $secureCookie = $memcData['secureCookies'];
+
$centralUser->setGlobalCookies(
$memcData['remember'], $memcData['sessionId'],
$secureCookie, array(
- 'finalProto' =>
$memcData['cookieProto'],
+ 'finalProto' => $memcData['finalProto'],
+ 'secureCookies' =>
$memcData['secureCookies'],
'remember' => $memcData['remember'],
)
);
diff --git a/specials/SpecialCentralLogin.php b/specials/SpecialCentralLogin.php
index dbf5996..26bd6b8 100644
--- a/specials/SpecialCentralLogin.php
+++ b/specials/SpecialCentralLogin.php
@@ -77,10 +77,7 @@
// Determine if we can use the default cookie security, or if
we need
// to override it to insecure
- $secureCookie = null;
- if ( $info['finalProto'] == 'http' ) {
- $secureCookie = false;
- }
+ $secureCookie = $info['secureCookies'];
// Start an unusable placeholder session stub and send a cookie.
// The cookie will not be usable until the session is unstubbed.
@@ -107,6 +104,8 @@
// Ensure $url really is proto relative, and prepend the
protocol of the original
// login. If the local wiki is using wgSecureLogin, it will be
https.
$url = strstr( $url, '//' );
+
+ //currentProto = the login form's protocol, so we go back to
here. May then redir to finalProto
$url = $info['currentProto'] . ':' . $url;
if ( $wgCentralAuthSilentLogin ) {
@@ -184,12 +183,11 @@
// session now that the global session is complete.
// Without $wgSecureLogin, we should be on the correct protocol
now, and we use the
// default cookie security. With $wgSecureLogin, we use the
stickHTTPS checkbox.
- $secureCookie = null;
- if ( $wgSecureLogin && !$attempt['stickHTTPS'] ) {
- $secureCookie = false;
- }
+ $secureCookie = $attempt['stickHTTPS'];
+
$centralUser->setGlobalCookies( $attempt['remember'],
$info['sessionId'], $secureCookie, array(
'finalProto' => $attempt['finalProto'],
+ 'secureCookies' => $attempt['stickHTTPS'],
'remember' => $attempt['remember'],
) );
@@ -217,8 +215,12 @@
$attempt['type']
) );
- $form->showReturnToPage( 'successredirect',
- $attempt['returnTo'],
$attempt['returnToQuery'], $attempt['stickHTTPS'] );
+ $form->showReturnToPage(
+ 'successredirect',
+ $attempt['returnTo'],
+ $attempt['returnToQuery'],
+ ( $attempt['finalProto'] == 'https' ) //
influnces http/https of returnTo page
+ );
$this->getOutput()->setPageTitle( $this->msg(
'centralloginsuccesful' ) );
} else {
// Show the login success page
--
To view, visit https://gerrit.wikimedia.org/r/80784
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I67e148b06cbcb4fdb0a589ea6322fb672c4ffc78
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/CentralAuth
Gerrit-Branch: master
Gerrit-Owner: CSteipp <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
