https://bugzilla.wikimedia.org/show_bug.cgi?id=39380
MZMcBride <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Set $wgSecureLogin = true |Set $wgSecureLogin = true; |on WMF wikis. |on Wikimedia wikis --- Comment #20 from MZMcBride <[email protected]> 2012-08-28 00:39:24 UTC --- (In reply to comment #19) > (In reply to comment #18) >> experience, which is why I'd rather see effort focused on fixing bug 29898. > > But does this change require any other effort besides the change of an > existing > setting to true? Err, right. I think I remember what's going on here now. So there's $wgSecureLogin, which basically changes the "log in" link to specify HTTPS. The user clicks "log in" and he or she logs in to HTTPS and the user will stay in HTTPS after successfully logging in. However, when the user clicks one of the million HTTP links (in an e-mail, on a wiki page, on IRC, elsewhere on the Web), the user will not be automagically redirected to HTTPS, he or she will _stay_ at HTTP and he or she won't be logged in any longer. This is very disorienting. The user can click "log in" in the corner of the page, but he or she will be transferred to Special:UserLogin over HTTPS and suddenly the user will appear to be logged in again. In short, the issue with just setting $wgSecureLogin to true is that the user experience kind of sucks, as I understand it. (Feel free to correct me if I've misread the $wgSecureLogin-related code!) (I'm also not sure it actually prevents form submission over HTTP [if the user navigates to the HTTP version of Special:UserLogin directly].) If this is an acceptable situation, it's fine to set $wgSecureLogin to true on Wikimedia wikis. You'll need to get an okay from Wikimedia Foundation operations (ops) first before the change can be deployed. The load spike from logging in over HTTPS should be minimal, but the load spike from users continuing to use HTTPS after logging in will be less negligible, I think. Ops will also wants a heads-up so that there isn't an unexplained load spike. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
