[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 Bug 41022 depends on bug 29898, which changed state. Bug 29898 Summary: User preference for enforcing HTTPS https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 What|Removed |Added Status|PATCH_TO_REVIEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 Bug 41022 depends on bug 29898, which changed state. Bug 29898 Summary: User preference for enforcing HTTPS https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 What|Removed |Added Status|RESOLVED|PATCH_TO_REVIEW Resolution|FIXED |--- -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 Bug 41022 depends on bug 29898, which changed state. Bug 29898 Summary: User preference for enforcing HTTPS https://bugzilla.wikimedia.org/show_bug.cgi?id=29898 What|Removed |Added Status|PATCH_TO_REVIEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 Waldir wal...@email.com changed: What|Removed |Added Depends on||27946 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 Brion Vibber br...@wikimedia.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Comment #10 from Brion Vibber br...@wikimedia.org 2012-10-17 23:13:21 UTC --- Gmail is https-only since a year or two ago? We should be following that model and dropping all HTTP login support these days. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 --- Comment #7 from Chris Steipp cste...@wikimedia.org 2012-10-15 13:53:39 UTC --- It's not secure to send https cookies over http. So if a user requests https on mediawiki login, we set the flag to only send the session cookie for page reqests over https. Otherwise an attacker just has to give a victim an image or redirect to http://en.wikipedia.org, and can sniff their session cookie. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 --- Comment #8 from Krenair kren...@gmail.com 2012-10-15 15:40:59 UTC --- Is this bug WONTFIX/INVALID then? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 --- Comment #9 from Huji huji.h...@gmail.com 2012-10-15 22:30:36 UTC --- (In reply to comment #7) It's not secure to send https cookies over http. So if a user requests https on mediawiki login, we set the flag to only send the session cookie for page reqests over https. Otherwise an attacker just has to give a victim an image or redirect to http://en.wikipedia.org, and can sniff their session cookie. I wonder why major online services like GMail or Yahoo! do that then. They only use HTTPS for login, by default. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 MZMcBride b...@mzmcbride.com changed: What|Removed |Added CC||b...@mzmcbride.com --- Comment #1 from MZMcBride b...@mzmcbride.com 2012-10-14 17:16:57 UTC --- Dupe of bug 29898? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 --- Comment #2 from Huji huji.h...@gmail.com 2012-10-14 18:47:30 UTC --- Not really. Bug 29898 talks about if a user wants to always use HTTPS for login (JUST for login), and how to enforce all sessions to be secure. This bug, however, is about retaining the login status if at some point you decide to switch protocols. For example, I may use HTTP primarily and even decide to login over HTTP (and therefore not use the feature 29898 is suggesting); however, after I'm logged in, if I click on a DIFF link which has HTTPS in the beginning of it, I still want to show as logged in. They are related features, but not the same. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 --- Comment #3 from MZMcBride b...@mzmcbride.com 2012-10-14 19:11:35 UTC --- (In reply to comment #2) For example, I may use HTTP primarily and even decide to login over HTTP (and therefore not use the feature 29898 is suggesting); however, after I'm logged in, if I click on a DIFF link which has HTTPS in the beginning of it, I still want to show as logged in. With a completely reset Web browser (no cookies, no cache, etc.), if I navigate to http://en.wikipedia.org right now and successfully log in, when I subsequently navigate to https://en.wikipedia.org, I'm also logged in. Logging in via HTTP will log you in to both HTTP and HTTPS. Given this, I'm still unclear what the bug is here. Does this feature not work for you? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 --- Comment #4 from Huji huji.h...@gmail.com 2012-10-14 19:41:11 UTC --- The reverse doesn't work. Log into HTTPS and then visit the site under HTTP. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 --- Comment #5 from MZMcBride b...@mzmcbride.com 2012-10-14 20:25:56 UTC --- (In reply to comment #4) The reverse doesn't work. Log into HTTPS and then visit the site under HTTP. Right. This is a security feature. It prevents users from unwittingly exposing their session information over HTTP after they've properly logged in via HTTPS. I believe this bug is invalid. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 --- Comment #6 from Huji huji.h...@gmail.com 2012-10-14 23:39:34 UTC --- I'm not sure if this is against security standards. From bug 29898 comment 2 by Brion Vibber: Running all login forms through HTTPS, then after that either keeping you in secure HTTPS-land or giving you an insecure cookie and shoving you back to HTTP, is common practice. If it is reasonable to allow HTTP users to use HTTPS for login and then be redirected back to HTTP, then it is also reasonable to allow a user who started on HTTPS, and logged in on HTTPS, to retain their cookies in HTTP too. I will wait for further input from others. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 41022] Preserve login status when switching protocols (HTTP and HTTPS)
https://bugzilla.wikimedia.org/show_bug.cgi?id=41022 Huji huji.h...@gmail.com changed: What|Removed |Added Depends on||29898 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l