When $wgSecurelogin is true, the login has the checkbox "Stay connected to HTTPS after login".
If this option is left unchecked, the user's session cookie is set with the secure flag, but the user is then forwarded to http, and loose their session.
If you have not patched bug 40995, then you will often not see this, since the session frequently will be started under an insecure connection, and is not refreshed on login.
Version: 1.21.x
Severity: normal
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T41380 Set $wgSecureLogin = true; on Wikimedia wikis | |||
| Resolved | Parent5446 | T44832 Can't return to http after login with $wgSecurelogin |
Hmm, so since the session is set up when the form loads, from what I see the only way to fix this is to close the session, change the cookie parameters, and then restart the session.
I would recommend removing the checkbox -- all logins should go through https or you're just leaving the account open to session stealing if on open networks.
I would agree, but some wikis don't want that. I would agree to having an option forcing all logged in users to be on HTTPS, but we should at least have the option of allowing returning to HTTP.
Brian, I totally agree.
Tyler, I *think* we can add a parameter to set the session as secure or insecure as part of the session refresh on a successful login.
So the login csrf token is checked against the original session, but the new session is secure/insecure based on the checkbox.