Use a mobile web browser. I used "User-Agent: Opera/9.80 (Android; Opera Mini/7.5.33361/30.3793; U; sv) Presto/2.8.119 Version/11.10".
Steps to reproduce:
1: Delete all cookies.
2: Log in to Wikipedia. You should now see the mobile site as you are using a mobile web browser.
3: At the bottom of the page, click on the link to the desktop version.
4: Elsewhere on the Internet, find a link which points to Wikipedia's desktop HTTP edition, and click on the link. Alternatively, type in a URL yourself.
Actual result: The browser shows the mobile HTTPS edition of Wikipedia.
Expected result: The browser shows the desktop HTTPS edition of Wikipedia.
Explanation
Steps 2-3 should give you two cookies:
Set-Cookie: enwikiforceHTTPS=true; expires=Mon, 30-Sep-2013 23:24:04 GMT; path=/; httponly
Set-Cookie: stopMobileRedirect=true; expires=Mon, 30-Sep-2013 23:15:06 GMT; path=/; domain=.wikipedia.org; secure
When you request the Wikipedia article (say, http://en.wikipedia.org/wiki/A), the following happens:
- Browser sends "GET /wiki/A HTTP/1.1" to en.wikipedia.org. As the connection is insecure, the stopMobileRedirect=true cookie isn't sent, but enwikiforceHTTPS=true is sent:
Cookie: enwikiforceHTTPS=1
- Server detects a mobile user agent, so you are redirected (302 Moved Temporarily) to http://en.m.wikipedia.org/wiki/A (still no HTTPS).
- Browser sends "GET /wiki/A HTTP/1.1" en.m.wikipedia.org. As it is still insecure, stopMobileRedirect=true isn't sent:
Cookie: enwikiforceHTTPS=true; enwikiforceHTTPS=1
- Server detects enwikiforceHTTPS=true and enwikiforceHTTPS=1 (no idea why the browser has two cookies with the same name) and you are redirected (302 Found) to https://en.m.wikipedia.org/wiki/A.
- Browser switches on SSL and sends "GET /wiki/A HTTP/1.1". Now all cookies are sent, including stopMobileRedirect=true (private information removed):
Cookie: enwikiSession=REMOVED; centralauth_User=Stefan2; centralauth_Token=REMOVED; centralauth_Session=REMOVED; enwikiUserID=808814; enwikiUserName=Stefan2; enwikiforceHTTPS=true; enwikiforceHTTPS=1; stopMobileRedirect=true
- You see the mobile website.
Problem: As the redirect to HTTPS happens after the redirect to the mobile site, the stopMobileRedirect=true cookie is sent too late and the server won't know that you wish to stay on the desktop website.
Version: unspecified
Severity: minor