https://bugzilla.wikimedia.org/show_bug.cgi?id=53379
Seb35 <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Blocks| |27946 --- Comment #6 from Seb35 <[email protected]> --- Although it is true the cookie is removed when log out, I tried many times and it is never removed (with Opera 12.16 and Firefox 20.0). By investigating I see when I log out from a wiki (here frwiki) that the forceHTTPS cookie has a Secure attribute: Set-Cookie: frwikiforceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure; httponly I wonder if this secure attribute doesn’t prevent the user-agent to modify/delete the non-secure cookie; I quickly searched in the RFC 6265 (cookies) but didn’t find anything about the interactions between secure and non-secure cookies. If this bug really comes this fact, the User::clearCookie have to be changed to receive an argument to clear explicitely-unsecure cookies. As a side fact, I see there are two forceHTTPS cookies when you connect to Wikipedia: one set by frwiki (domain fr.wikipedia.org) and one set by login.wikimedia.org (domain .wikipedia.org); I don’t know how this interacts with this bug. Login from the specific wiki (here frwiki): Set-Cookie: frwikiforceHTTPS=true; expires=Sat, 28-Sep-2013 00:49:37 GMT; path=/; httponly Continuation of the login, from login.wikimedia.org: Set-Cookie: frwikiforceHTTPS=1; expires=Sat, 28-Sep-2013 00:49:37 GMT; path=/; domain=.wikipedia.org; httponly -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
