Last modified: 2013-09-03 17:31:04 UTC
This might be OK, but I thought I'd report it because it seems strange to me: * login on http://test2.wikipedia.org with a global account, get the redirect to central server and end up on the https URL https:/test2.wikipedia.org * explicitly open an http page requiring login, like http://test2.wikipedia.org/wiki/Special:UploadWizard by pasting into the address bar ** User gets a message "Not logged in" * click "Log in" * on login page, click "Log in" without filling in password. User name is filled in automatically. ** Login succeeds without password being entered *** Note: sometimes upon doing this I briefly see a "Password field was empty" or "Cookies required" error message before the login succeeds. * explicitly open the http page again, http://test2.wikipedia.org/wiki/Special:UploadWizard ** This time the user is sent to the page correctly without incident Unexpected behavior: * Login succeeds from login page without a password required * Login sometimes reports a missing-password or cookies error before succeeding * Pasting an http: URL fails after first login but succeeds after second password-less login.
Confirmed, that is a bug. We have a larger patch for SUL that we're (almost) ready to merge and deploy, which I'm pretty confident will address this.
(In reply to comment #0) > This might be OK, but I thought I'd report it because it seems strange to > me: > > * login on http://test2.wikipedia.org with a global account, get the redirect > to central server and end up on the https URL https:/test2.wikipedia.org > * explicitly open an http page requiring login, like > http://test2.wikipedia.org/wiki/Special:UploadWizard by pasting into the > address bar > ** User gets a message "Not logged in" Apparently it's only logging you in on the secure site, not the insecure site. Aaron knows more about this bit of the code than I do, CCing him. > * click "Log in" > * on login page, click "Log in" without filling in password. User name is > filled in automatically. > > ** Login succeeds without password being entered > *** Note: sometimes upon doing this I briefly see a "Password field was > empty" > or "Cookies required" error message before the login succeeds. When you open Special:Userlogin, it attempts to check if you're logged into the central domain in the background. Presumably this is succeeding, which is why the login seems to succeed despite entering a wrong password. There's JavaScript involved in that check that tries to send you to the success page, but if you already clicked the "Log in" button it may be that the browser isn't allowing the JavaScript to override the form submission.
This is still an issue with the latest version. loginwiki redirects back to the attached wiki with a PROTO_CURRENT link, which is always https in production. I just added a patch that should fix this.
Change 72657 had a related patch set uploaded by CSteipp: Redirect to correct protocol in SUL2 https://gerrit.wikimedia.org/r/72657
Change 72657 merged by jenkins-bot: Redirect to correct protocol in SUL2 https://gerrit.wikimedia.org/r/72657
Considering the patch has been merged since July, let's close this. Feel free to reopen if this still occurs.