On 3 October 2011 21:18, Brion Vibber <[email protected]> wrote: > On Mon, Oct 3, 2011 at 12:13 PM, Ashar Voultoiz <[email protected]> > wrote: > > > Can you possible enable $wgSecureLogin on all wiki? The feature let you > > login under HTTPS when you are come from HTTP. > > > > Man page: > > http://www.mediawiki.org/wiki/Manual:$wgSecureLogin > > > > Revisions: > > http://www.mediawiki.org/wiki/Special:Code/MediaWiki/75585 > > > > Hmm, this seems to indicate it will return you to http: after > authenticating; this is an unsafe practice which I would recommend strongly > against. > > If you log in on HTTPS, we want to make sure that no session data (eg login > cookies) can leak to HTTP -- where someone on your wireless network could > hijack your session, delete a thousand pages on Wikipedia, and get your > account locked out. >
The $wgSecureLogin thing was and is a treatment to a symptom of the problem, not its cause. Once the bugs brion mentions are worked through, we should be encouraging all logged-in users to go to, and stay with, SSL. What $wgSecureLogin should do is prompt all visits to Special:UserLogin to be redirected to https, and *not* send them back. --HM _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
