2011/2/13 Ville Stadista <[email protected]>: > Currently, if you login on secure you are not logged-in on the > unencrypted site, even if I allow setting third party cookies in the > browser settings. I assume the login session is common to both > unencrypted and encrypted, so would it be possible to transfer the > session from secure.wikimedia.org? This way users could login securely > but choose to use the unencrypted site for the normal tasks. > This is not a bug, it's a feature. If you were automatically logged in on the insecure sites when logging in on the secure site, someone could just trick you to visit wikipedia.org (e.g. by including an image from wikipedia.org on their web page, or through various other means) and your browser will happily send your session cookies to wikipedia.org unencrypted. If that someone happens to also be on the same public wifi and has Firesheep running, they can now hijack your login session.
Roan Kattouw (Catrope) _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
