Last modified: 2007-01-24 17:19:53 UTC
There's a setting, $wfCookieSecure, that determines whether the cookies used by mediawiki are supposed to be https only. This setting is not honored for the session cookie. The interface to do that is new in PHP 4.2.0; as mediawiki now requires PHP 5, it can be enabled. Note that there is a similar bug 4731 for the httponly parameter, but that is new in PHP 5.2 so it might be undesirable to enable that. See also http://www.php.net/manual/en/function.session-set-cookie-params.php
Created attachment 3132 [details] Patch to fix bug
Whoops, good catch! Fixed in r19636