https://bugzilla.wikimedia.org/show_bug.cgi?id=61048

       Web browser: ---
            Bug ID: 61048
           Summary: Disabling https broken
           Product: MediaWiki
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: User preferences
          Assignee: wikibugs-l@lists.wikimedia.org
          Reporter: cste...@wikimedia.org
                CC: agarr...@wikimedia.org
    Classification: Unclassified
   Mobile Platform: ---

While testing another preferences patch, I found that stock mediawiki is no
longer respecting the preference to disable https after login when
wgSecureLogin is set.

* User is redirected to https when they click login, and the url parameter
"fromhttp=1" is added.
* User logs in (doesn't seem to matter if remember me is selected or not)
* User is logged in, and cookies are set *for encrypted connections only*
* User does *not* get a forceHTTPS cookie
* User is redirected to the https version of the page where they clicked login

Obviously, if the user types in an http:// url, they are no longer logged into
the site since the cookie are set for https calls only.

CentralAuth correctly handles the preference, so most users on WMF wikis are
not affected. But we should get this fixed.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to