Page MenuHomePhabricator
Create Task
Maniphest T73716

If coming from a non-secure website to a secured login, if force ssl is not enabled, it should return to the non-secure website.
Closed, ResolvedPublic
Actions

Description

Author: bugzillawiki

Description:
So looks like there's a bug if a mediawiki site has https enabled but doesn't want https anywhere other than login. So if the client comes via non-secure and goes to login with a secured wiki, then proceeds to login (and hasn't chosen to force SSL), the site continues to be in SSL.

Expected behavior: If a client logs in from non-ssl and the wiki has SSL enabled, and the client has not set "force ssl", the client should return to the non-secure wiki.

This patch should fix that behavior since the 'fromhttp' parameter wasn't being sent back to the post page properly:

https://gerrit.wikimedia.org/r/#/c/164882/

Version: 1.23.5
Severity: normal

Details

Reference
bz71716

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:49 AM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz71716.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Oct 6 2014, 7:27 PM
gerritbot added a comment.Oct 6 2014, 7:40 PM

Change 165080 had a related patch set uploaded by Stephenliang:
If a user logs in while not on https, then the user should be sent back to the non-secure website if they did not explicitly choose to stay on the secure site

https://gerrit.wikimedia.org/r/165080

csteipp added a comment.Oct 6 2014, 10:00 PM

Is this report about MediaWiki, or a particular WMF site (so mediawiki + centralauth)?

If it's just mediawiki, I think this is a duplicate of bug 61048, but I want to make sure I understand the issue you're seeing.

bzimport added a comment.Oct 6 2014, 10:29 PM

bugzillawiki wrote:

No, this is applicable to stock mediawiki as the expected behavior isn't working on my wiki.

It doesn't look like this is a duplicate of bug 61048 which is related to not being logged in after returning to http://. This one is related to going from http -> https login -> https whereas we expect it to be http -> https login -> http

With this patch applied and after testing, I can confirm that you do stay logged in even when returning to http, so it looks like bug 61048 has been fixed?

Nemo_bis added a comment.Oct 7 2014, 7:14 AM

This is bug 40541 once again.
What version of MediaWiki are you running? We had problems getting rid of this bug on OSM wiki too... I guess the underlying code is fragile.

bzimport added a comment.Oct 7 2014, 4:13 PM

bugzillawiki wrote:

I'm running version Mediawiki 1.23.5 (stock).

gerritbot added a comment.Dec 3 2014, 10:36 PM

Change 165080 merged by jenkins-bot:
If a user logs in while not on https, then the user should be sent back to the non-secure website.

https://gerrit.wikimedia.org/r/165080

csteipp closed this task as Resolved.Dec 3 2014, 10:36 PM
csteipp claimed this task.

I merged https://gerrit.wikimedia.org/r/#/c/165080/

csteipp edited projects, added MediaWiki-Tarball-Backports; removed Patch-For-Review.Dec 3 2014, 10:36 PM
csteipp set Security to None.
RandomDSdevel awarded a token.Dec 16 2014, 12:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL