Last modified: 2014-05-22 14:41:53 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T63048, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 61048 - Disabling https broken
Disabling https broken
Status: PATCH_TO_REVIEW
Product: MediaWiki
Classification: Unclassified
User preferences (Other open bugs)
1.24rc
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-07 18:52 UTC by Chris Steipp
Modified: 2014-05-22 14:41 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2014-02-07 18:52:23 UTC 
While testing another preferences patch, I found that stock mediawiki is no longer respecting the preference to disable https after login when wgSecureLogin is set.

* User is redirected to https when they click login, and the url parameter "fromhttp=1" is added.
* User logs in (doesn't seem to matter if remember me is selected or not)
* User is logged in, and cookies are set *for encrypted connections only*
* User does *not* get a forceHTTPS cookie
* User is redirected to the https version of the page where they clicked login

Obviously, if the user types in an http:// url, they are no longer logged into the site since the cookie are set for https calls only.

CentralAuth correctly handles the preference, so most users on WMF wikis are not affected. But we should get this fixed.
Comment 2 Andre Klapper 2014-02-24 10:52:41 UTC 
Wondering if this creates bug 54350. Anybody planning to work on this?
Comment 3 Andre Klapper 2014-05-21 14:59:43 UTC 
So does anybody knows if this is still a problem nowadays? 
And if this is still high priority?
Comment 4 Chris Steipp 2014-05-21 19:44:31 UTC 
I'm still seeing it. Since it doesn't effect most WMF wikis, and I haven't heard of anyone else affected, normal priority is probably fine.
Comment 5 Gerrit Notification Bot 2014-05-21 22:59:10 UTC 
Change 134756 had a related patch set uploaded by CSteipp:
WIP: Respect wgForceHttps on login

https://gerrit.wikimedia.org/r/134756
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links