Page MenuHomePhabricator
Create Task
Maniphest T56626

forceHTTPS session cookie placed even with HTTPS opt-out set
Closed, ResolvedPublic
Actions

Description

Forced secure connection...again...[edit]

Even though the "always use a secure connection" box is unchecked, I'm being redirected to https:// no matter what I do on each and every page. This is becoming bothersome. - The Bushranger One ping only 22:43, 25 September 2013 (UTC)

Which browser are you using? If Firefox, try zapping all the forceHTTPS cookies, as suggested a few weeks back. --Redrose64 (talk) 23:09, 25 September 2013 (UTC)

I'm using FF22. I tried that - but there was no forceHTTPS cookie after I logged out per the directions there. There was one that existed while I was logged in, and I deleted it while logged in - and was then able to navigate using http://...however, as soon as I signed out and back in again, I was right back stuck on https://. This is a Wikipedia issue, not a my-browser isssue, as it's force-feeding me the forceHTTPS cookie every time I log in, even though it was just fine on http:// this morning. - The Bushranger One ping only 23:25, 25 September 2013 (UTC)

I tried deleting and had similar problems - it's also force feeding me that cookie every time I log in. Why do the technical people have meddle so... and not tell us. Dpmuk (talk) 06:07, 26 September 2013 (UTC)

Version: master
Severity: normal

Details

Reference
bz54626

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:16 AM
bzimport added a project: MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz54626.
bzimport added a subscriber: Unknown Object (MLST).
TheDJ created this task.Sep 26 2013, 8:53 AM
Aklapper added a comment.Sep 26 2013, 12:19 PM

I wonder if this is covered by anomie's https://gerrit.wikimedia.org/r/#/c/85776/ . Or not.

For the records: https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_%28technical%29&oldid=574592983#Forced_secure_connection...again...
https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_%28technical%29&oldid=574592983#http_login_issue

gerritbot added a comment.Sep 26 2013, 2:31 PM

Change 86101 had a related patch set uploaded by Anomie:
Explicitly clear forceHTTPS cookie when insecure

https://gerrit.wikimedia.org/r/86101

gerritbot added a comment.Sep 26 2013, 10:19 PM

Change 86101 merged by jenkins-bot:
Explicitly clear forceHTTPS cookie when insecure

https://gerrit.wikimedia.org/r/86101

Anomie added a comment.Sep 27 2013, 4:15 PM

Marking this fixed, since the patch is merged. It looks like this just missed being included in 1.22wmf19, so it should go out to WMF wikis with 1.22wmf20. See https://www.mediawiki.org/wiki/MediaWiki_1.22/Roadmap for the schedule.

Unless, of course, Chris or someone wants to backport it (which would probably happen then on Monday).

Betacommand added a comment.Oct 6 2013, 3:18 PM

*** Bug 55368 has been marked as a duplicate of this bug. ***

Eloquence added a comment.Oct 10 2013, 7:58 AM

Is this in fact in wmf20? I don't see it in the release notes in https://www.mediawiki.org/wiki/MediaWiki_1.22/wmf20

Anomie added a comment.Oct 10 2013, 4:23 PM

I don't know why it's not on that release notes page, but I just checked on tin and it is included in the version of CentralAuth in /a/common/php-1.22wmf20/extensions/CentralAuth.

Eloquence added a comment.Oct 10 2013, 5:32 PM

Thanks for checking, Brad.

bzimport added a comment.Oct 13 2013, 10:12 PM

salisria wrote:

I'm getting forced into using HTTPS again today, so I'm reopening this bug. Not only that, but clearing the cookies doesn't help. If do that, then I get the popup message:
Central login
You are centrally logged in as XXXXXXX. Reload the page to apply your user settings.

And 15 different new HTTPS cookies added:
commons, incubator, login, mediawiki, meta, species, wikibooks, wikidata, wikinews, wikipedia, wikiquote, wikisource, wikiversity, wikivoyage, and wiktionary.

I am using Firefox 24.0.

bzimport added a comment.Oct 13 2013, 10:36 PM

salisria wrote:

Just realized something. One of the cookies was "wikipedia.org". If I remember correctly, then before there were separate cookies for en.wikipedia.org, fr.wikipedia.org, etc. Did someone do an optimization to use only one cookie per domain and then forget to give us the ability to opt out since there are no preferences users can set on "wikipedia.org", just on the individual sites?

bzimport added a comment.Oct 13 2013, 10:58 PM

salisria wrote:

Okay, just tried one more thing. Clearing the cookies, logging out, and logging back in. That worked. But still, I should not have ever gotten into the state I was in of it forcing me into HTTPS, so something is still wonky, even if intermittently so.

Anomie added a comment.Oct 15 2013, 4:15 PM

If you can reproduce this now that you've logged out and logged back in, please file a new bug with specific instructions on reproducing.

Eloquence added a comment.Oct 16 2013, 5:15 PM

Confirmed fixed in a Chrome private browser session with HTTPS disabled.

bzimport added a comment.Oct 18 2013, 5:43 PM

salisria wrote:

I have managed to reproduce it and this time noticed the trigger. Using Google Translate on a Wikipedia page. I have filed a new bug, Bug 55887.

MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 5:58 PM
Aklapper removed subscribers: Anomie, wikibugs-l-list, werdna.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL