Page MenuHomePhabricator

Login on https doesn't log you in on http
Closed, ResolvedPublic

Description

Go to http://en.m.wikipedia.org/wiki/Typhoon_Rusa
Click the watchlist star and click login
(Note you are now on https://en.m.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Typhoon+Rusa&returntoquery=article_action%3Dwatch&wpStickHTTPS=1)
Login
Click back twice so you are back on http://en.m.wikipedia.org/wiki/Typhoon_Rusa and hit refresh
You are no longer logged in

Expected:
Login on https should log you in on http


Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=43909

Details

Reference
bz44330

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:38 AM
bzimport set Reference to bz44330.

Logging in on https should NEVER log you in on http -- that defeats the purpose of an encrypted connection and makes it trivial for network sniffers or MiTM to steal your tokens.

True. I'm coming from a UX point of view here.

What I'm getting at is if as a user I access wikipedia via http and click on login I am now logged in and accessing wikipedia over https.

Now if I go to Wikipedia again on http via a google link I am now logged out and have to login again.

This loop will continue until I get bored of logging into Wikipedia (logging in is dull right?)

An ideal solution would be to remember a user logged in and redirect them to https on subsequent visits. How we might do this I'm not sure.

(In reply to comment #3)

This should resolve the bug:
https://gerrit.wikimedia.org/r/#/c/45922/

Merged by MaxSem on the 30th.