https://bugzilla.wikimedia.org/show_bug.cgi?id=29986
Web browser: ---
Bug #: 29986
Summary: $wgSecureLogin fails to handle page links, non-SSL
content
Product: MediaWiki
Version: 1.17
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: User login
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Created attachment 8806
--> https://bugzilla.wikimedia.org/attachment.cgi?id=8806
SecureLoginPage.php
The SSL login feature enabled by $wgSecureLogin produces pages that can be
confusing to users. Here are several use cases that happen when
$wgSecureLogin=true.
1. User clicks "Log in". On the login page (which is https), the user does not
log in, but clicks another link on the page such as "Recent changes". This link
is also https. Suddenly the user is viewing the wiki via SSL, when this might
never have been the user's intention.
2. User clicks "Log in". The logo image, which was set by a sysadmin via
$wgLogo to be "http://some.other.site/myfile.jpg";, gets served over http. The
browser (IE) pops up a warning, "Do you want to view only the webpage content
that was delivered securely?" The user gets confused or scared by the popup.
Several years ago I published a SecureUserLogin extension in my O'Reilly
"MediaWiki" book. It avoids problem 1 by automatically switching from https to
http when serving pages other than the login page. (Unless the user wants a
totally SSL session.) I believe MediaWiki should do similarly.
I will attach a copy of the extension in case it's useful to you.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
![http://some.other.site/myfile.jpg"](http://some.other.site/myfile.jpg"){kind=link}