https://bugzilla.wikimedia.org/show_bug.cgi?id=53667
Web browser: ---
Bug ID: 53667
Summary: HTTP URL to desktop website sometimes gives mobile
website for stopMobileRedirect=true if you have
enwikiforceHTTPS=true
Product: MediaWiki extensions
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Unprioritized
Component: MobileFrontend
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected]
Classification: Unclassified
Mobile Platform: ---
Use a mobile web browser. I used "User-Agent: Opera/9.80 (Android; Opera
Mini/7.5.33361/30.3793; U; sv) Presto/2.8.119 Version/11.10".
Steps to reproduce:
1: Delete all cookies.
2: Log in to Wikipedia. You should now see the mobile site as you are using a
mobile web browser.
3: At the bottom of the page, click on the link to the desktop version.
4: Elsewhere on the Internet, find a link which points to Wikipedia's desktop
HTTP edition, and click on the link. Alternatively, type in a URL yourself.
Actual result: The browser shows the mobile HTTPS edition of Wikipedia.
Expected result: The browser shows the desktop HTTPS edition of Wikipedia.
IMPORTANT: You must perform steps 2 and 3 in the order indicated above! If you
perform them in the opposite order, then the result is different (due to bug
43771).
== Explanation ==
Steps 2-3 should give you two cookies:
Set-Cookie: enwikiforceHTTPS=true; expires=Mon, 30-Sep-2013 23:24:04 GMT;
path=/; httponly
Set-Cookie: stopMobileRedirect=true; expires=Mon, 30-Sep-2013 23:15:06 GMT;
path=/; domain=.wikipedia.org; secure
When you request the Wikipedia article (say, http://en.wikipedia.org/wiki/A),
the following happens:
1. Browser sends "GET /wiki/A HTTP/1.1" to en.wikipedia.org. As the connection
is insecure, the stopMobileRedirect=true cookie isn't sent, but
enwikiforceHTTPS=true is sent:
Cookie: enwikiforceHTTPS=1
2. Server detects a mobile user agent, so you are redirected (302 Moved
Temporarily) to http://en.m.wikipedia.org/wiki/A (still no HTTPS).
3. Browser sends "GET /wiki/A HTTP/1.1" en.m.wikipedia.org. As it is still
insecure, stopMobileRedirect=true isn't sent:
Cookie: enwikiforceHTTPS=true; enwikiforceHTTPS=1
4. Server detects enwikiforceHTTPS=true and enwikiforceHTTPS=1 (no idea why the
browser has two cookies with the same name) and you are redirected (302 Found)
to https://en.m.wikipedia.org/wiki/A.
5. Browser switches on SSL and sends "GET /wiki/A HTTP/1.1". Now all cookies
are sent, including stopMobileRedirect=true (private information removed):
Cookie: enwikiSession=REMOVED; centralauth_User=Stefan2;
centralauth_Token=REMOVED; centralauth_Session=REMOVED; enwikiUserID=808814;
enwikiUserName=Stefan2; enwikiforceHTTPS=true; enwikiforceHTTPS=1;
stopMobileRedirect=true
6. You see the mobile website.
Problem: As the redirect to HTTPS happens after the redirect to the mobile
site, the stopMobileRedirect=true cookie is sent too late and the server won't
know that you wish to stay on the desktop website.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
