https://bugzilla.wikimedia.org/show_bug.cgi?id=47647
Arthur Richards <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected], | |[email protected], | |[email protected] Component|MobileFrontend |CentralAuth --- Comment #13 from Arthur Richards <[email protected]> --- So, CentralAuth sets login cookies for most domains at the topmost level (eg .wikipedia.org as opposed to en.wikipedia.org), which works great with our domain scheme for mobile domains - that is, setting a cookie for .wikipedia.org will be usable by en.m.wikipedia.org as well as en.wikipedia.org. The aforementioned configuration forces login cookies for meta and commons to use their full explicit domains to prevent security issues for other wikimedia.org subdomains (like, those of chapters, etc). That means rather than setting login cookies for .wikimedia.org, we explicitly set login cookies for commons.wikimedia.org and meta.wikimedia.org; which will not be accessible from commons.m.wikimedia.org or meta.m.wikimedia.org. One possible solution would be to use the 'EnterMobileMode' hook to override $wgCentralAuthCookieDomain. Failing that, Chris Steipp suggested possibly adding a hook in CentralAuth to allow for mucking around with domain names, though that may be even uglier. I'll submit a patch for config to override $wgCentralAuthCookieDomain for commons/meta on mobile view. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
