When using $wgSecureLogin, if a user leaves wpStickHTTPS unchecked, they are stil redirected to an https page after login.
I think it's because getFullURL returns a protocol relative url by default now, so preg_replace( '/^https:/', 'http:', $redirectUrl ) has no effect.
(NB: fixing this seems to prevent a user from logging in without wpStickHTTPS checked, because their session cookies are set with the secure attribute, but they are immediately redirected to an insecure page, so their session cookie no longer exists in the request.)
Version: 1.20.x
Severity: major