Page MenuHomePhabricator
Create Task
Maniphest T63048

Disabling https broken
Closed, DuplicatePublic
Actions

Description

While testing another preferences patch, I found that stock mediawiki is no longer respecting the preference to disable https after login when wgSecureLogin is set.

  • User is redirected to https when they click login, and the url parameter "fromhttp=1" is added.
  • User logs in (doesn't seem to matter if remember me is selected or not)
  • User is logged in, and cookies are set *for encrypted connections only*
  • User does *not* get a forceHTTPS cookie
  • User is redirected to the https version of the page where they clicked login

Obviously, if the user types in an http:// url, they are no longer logged into the site since the cookie are set for https calls only.

CentralAuth correctly handles the preference, so most users on WMF wikis are not affected. But we should get this fixed.

Version: 1.24rc
Severity: normal

Details

Reference
bz61048

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:07 AM
bzimport added a project: MediaWiki-Core-Preferences.
bzimport set Reference to bz61048.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Feb 7 2014, 6:52 PM
Aklapper added a comment.Feb 12 2014, 12:31 PM

Related: https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_%28technical%29&oldid=595129084#Forced_.22https.22_on_wikis

Aklapper added a comment.Feb 24 2014, 10:52 AM

Wondering if this creates bug 54350. Anybody planning to work on this?

Aklapper added a comment.May 21 2014, 2:59 PM

So does anybody knows if this is still a problem nowadays?
And if this is still high priority?

csteipp added a comment.May 21 2014, 7:44 PM

I'm still seeing it. Since it doesn't effect most WMF wikis, and I haven't heard of anyone else affected, normal priority is probably fine.

gerritbot added a comment.May 21 2014, 10:59 PM

Change 134756 had a related patch set uploaded by CSteipp:
WIP: Respect wgForceHttps on login

https://gerrit.wikimedia.org/r/134756

werdna unsubscribed.Dec 10 2014, 5:24 PM
Krinkle closed this task as a duplicate of T156320: $wgServer with initial https:// does not force HTTPS (wgSecureLogin).Apr 28 2017, 10:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL