On 2014-01-22 7:54 AM, dsge herr wrote:
> You can put something like this to your LocalSettings.php:
>
> ---
>
> $wgServer = "http://example.com";;
>
> $wgHooks['BeforeInitialize'][] = 'redirectIfLoggedIn';
>
> function redirectIfLoggedIn( &$title, &$article, &$output, &$user,
> $request, $mediaWiki ){
> if ($user->isLoggedIn()) {
> if (strpos($title->getFullURL(),"http:") === 0){
> header('Location: '.str_replace("http","https",$title->getFullURL()));
> exit;
> }
> else{
> $wgServer = "https://example.com";;
> }
> }
> return true;
> }
I was going to clean this up, but then realized it was broken.
It only takes effect after a user has already logged in.
Meaning the user visits over http -> goes to the login form over http ->
submits their password over http -> receives their session key and
potential user_token over http -> then finally gets redirected to https.
So the https redirection is worthless as the user has already kindly
handed their password over to any MITM.
But some other pointers.
* :/ Please do not use getFullURL like that.
o It's a horrible way to test for http (and in this case I don't
believe it even has a meaning as I don't think that test will
ever return saying that it starts with https)
o getFullURL is not the correct URL to redirect to.
* You never want to change $wgServer like that, it gets cached in
parser caches/etc... so you will end up with broken navigation.
* $wgServer also was missing a global declaration.
* These tests don't take into account readers attempting to browse
over https and leaves wgServer set to http for them.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
_______________________________________________
MediaWiki-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
