Last modified: 2013-10-03 14:07:57 UTC
When $wgSecureLogin is set to true, the OpenID login page should redirect the user to HTTPS so that all transactions occur over TLS.
(In reply to comment #0) > When $wgSecureLogin is set to true, the OpenID login page should redirect the > user to HTTPS so that all transactions occur over TLS. @Tyler: Isn't that a matter and task of the login code in MediaWiki core, which is now used from within OpenID ? Perhaps, can you perform some tests with your local version, and let me know ?
I'm referring to how even when $wgSecureLogin is true, the Special:OpenIDLogin page (and the entire login process) still can take place over HTTP. Also, you can have HTTP providers even when $wgSecureLogin is enabled.
*** Bug 54512 has been marked as a duplicate of this bug. ***
Since bug 54512 has been marked as a duplicate of this, I'll note here that in addition to Special:OpenIDLogin the various URLs returned by Special:OpenIDXRDS also need to not fail if the forceHTTPS cookie might be set. See that bug for details.
*** This bug has been marked as a duplicate of bug 54512 ***