Tim Miller wrote: > I'm currently trialling the SecurePages extension (formerly httpsLogin) > to force a https connection for Special:Userlogin and then redirect to > http for normal usage of the wiki. By default the extension sets > $wgCookieSecure to false since MediaWiki obviously can't read cookies > set with the secure flag when not using an encrypted connection. > > I'm curious whether anyone has any input on the security implications of > using $wgDisableCookieCheck instead of disabling $wgCookieSecure.
It's better to use $wgDisableCookieCheck than to disable $wgCookieSecure. The cookie check is not a security check, it's only for usability, so that we can give the user a more informative error message if they have cookies disabled. With the cookie check disabled, users with cookies disabled will be logged out as soon as they navigate to another page, after logging in. -- Tim Starling _______________________________________________ MediaWiki-l mailing list MediaWikiemail@example.com https://lists.wikimedia.org/mailman/listinfo/mediawiki-l