On Fri, May 13, 2022 at 1:14 AM Toshi Esumi <[email protected]> wrote:
>
> On 5/12/22 04:31, Jeffrey Walton wrote:
> >
> > I ran into this issue (or a very similar issue) several years ago. Or
> > I had the same symptoms. Verify $wgServer matches the server name in
> > httpd.conf .
> > ...
>
> Thanks Jeff. It was spot on.
>
> First I didn't know they needed to match and I changed $wgServer side
> only. Also I recently installed a certificate to add SSL support then
> forgot to update to $wgServer = https://...
Glad to hear it. It took us a couple of days to work out the problem
when we experienced it.
I _think_ what happened was, the server was serving pages that
violated the browser's Same Origin Policy (SOP). So you would login
over https using host example.com, and then you would get a http page
from www.example.com and that would blow away the cookie.
In the browser's security model, an origin is a {protocol, host, port}
triplet. All requests have to use the same origin. Switching between
http and https, and switching between hosts example.com and
www.example.com would muck things up.
That's why $wgServer, $wgCanonicalServer, ServerName and ServerAlias
had to line-up properly.
Jeff
_______________________________________________
MediaWiki-l mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
