https://bugzilla.wikimedia.org/show_bug.cgi?id=53536
Web browser: ---
Bug ID: 53536
Summary: forceHTTPS cookie not deleted in Wikimedia environment
Product: Wikimedia
Version: wmf-deployment
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: SSL related
Assignee: [email protected]
Reporter: [email protected]
Classification: Unclassified
Mobile Platform: ---
When a user logs out on a single wiki (not included in a wiki farm) the
forceHTTPS cookie is deleted. In the Wikimedia environment, login.wikimedia.org
sets top-domain forceHTTPS cookies (.wikipedia.org, .wikiversity.org, etc)
which are not deleted when the user logs out and therefore s/he is still
redirected to HTTPS as anonymous user; even if s/he logs in again after having
unckecked the preference "Always use a secure connection when logged in" s/he
still is redirected to HTTPS since the global forceHTTPS cookie is still here.
So these global forceHTTPS cookies should be deleted when the user logs out.
The relevant HTTP headers are:
Login from the specific wiki (here frwiki):
Set-Cookie: frwikiforceHTTPS=true; expires=Sat, 28-Sep-2013 00:49:37 GMT;
path=/; httponly
Continuation of the login, from login.wikimedia.org:
Set-Cookie: frwikiforceHTTPS=1; expires=Sat, 28-Sep-2013 00:49:37 GMT;
path=/; domain=.wikipedia.org; httponly
Logout (specific wiki):
Set-Cookie: frwikiforceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;
path=/; secure; httponly
I originally reported this bug on bug 53379 but this one was focused on a user
interaction issue rather than on a real forceHTTPS cookie issue (it was a
single wiki); my first remarks are there. I mistakenly made a diagnosis and
proposed a solution, but the real bug is this one.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
