https://bugzilla.wikimedia.org/show_bug.cgi?id=53536
--- Comment #4 from Brad Jorsch <[email protected]> --- (In reply to comment #2) > This is a bug in Extension:CentralAuth. It fails to clear the cookie when > CentralAuthUser::deleteGlobalCookies() is called. It's more than that. CentralAuth doesn't actually need to call deleteGlobalCookies() on logout to make the user be logged out everywhere because changing the saved login token means the centralauth_Token cookies are no longer valid. So the calling of deleteGlobalCookies() on all wikis on logout was removed during the course of the SUL2 work. That needs to be re-added in order to clear this forceHTTPS cookie on all wikis. We're also going to have to take care of the forceHTTPS cookie set by core: Say you log in on dewiki, you actually get *two* forceHTTPS cookies, one for de.wikipedia.org set by core and one for .wikipedia.org set by CentralAuth. If you log out on dewiki everything works fine, but if you log out on any other site then that de.wikipedia.org forceHTTPS cookie isn't (and can't easily be) deleted. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
