Last modified: 2013-09-06 15:29:16 UTC
Created attachment 8806 [details] SecureLoginPage.php The SSL login feature enabled by $wgSecureLogin produces pages that can be confusing to users. Here are several use cases that happen when $wgSecureLogin=true. 1. User clicks "Log in". On the login page (which is https), the user does not log in, but clicks another link on the page such as "Recent changes". This link is also https. Suddenly the user is viewing the wiki via SSL, when this might never have been the user's intention. 2. User clicks "Log in". The logo image, which was set by a sysadmin via $wgLogo to be "http://some.other.site/myfile.jpg", gets served over http. The browser (IE) pops up a warning, "Do you want to view only the webpage content that was delivered securely?" The user gets confused or scared by the popup. Several years ago I published a SecureUserLogin extension in my O'Reilly "MediaWiki" book. It avoids problem 1 by automatically switching from https to http when serving pages other than the login page. (Unless the user wants a totally SSL session.) I believe MediaWiki should do similarly. I will attach a copy of the extension in case it's useful to you.
Created attachment 8807 [details] SecureLoginPage_body.php
We're already working on making URLs in MediaWiki protocol-relative as much as possible. Basically, if you set $wgServer = '//wiki.example.com'; in trunk as of a few days ago, that'll mostly work as you expect.
Comment on attachment 8806 [details] SecureLoginPage.php Change MIME types of PHP files to plain text so Bugzilla will hopefully display them to me without making me download them.
Using protocol-relative links doesn't have any effect on case 1) since those links are always on the local protocol/host anyway. Proper 'fix' for that is of course to always use SSL for all logged-in sessions at all times, which is much safer.
Brion: I see your point about security. Until such time that Wikipedia goes 100% SSL, it would be great if the secure login feature just followed the contract with its user: delivering articles over http unless the user has logged in and checked the "everything SSL" checkbox. Seem reasonable?
This really needs retesting now that SecureLogin is enabled by default. See https://meta.wikimedia.org/wiki/HTTPS
The bug definitely still exists (you can test it now on Wikipedia itself). However, we may consider WONTFIXing this.