Last modified: 2013-10-03 14:07:57 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T46353, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 44353 - [SUGGESTION] Login page doesn't respect $wgSecureLogin
[SUGGESTION] Login page doesn't respect $wgSecureLogin
Status: RESOLVED DUPLICATE of bug 54512
Product: MediaWiki extensions
Classification: Unclassified
OpenID (Other open bugs)
master
All All
: Unprioritized normal (vote)
: ---
Assigned To: T. Gries
:
Depends on:
Blocks: 9604
  Show dependency treegraph
 
Reported: 2013-01-25 19:19 UTC by Tyler Romeo
Modified: 2013-10-03 14:07 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Tyler Romeo 2013-01-25 19:19:58 UTC 
When $wgSecureLogin is set to true, the OpenID login page should redirect the user to HTTPS so that all transactions occur over TLS.
Comment 1 T. Gries 2013-05-07 06:54:54 UTC 
(In reply to comment #0)
> When $wgSecureLogin is set to true, the OpenID login page should redirect the
> user to HTTPS so that all transactions occur over TLS.

@Tyler:

Isn't that a matter and task of the login code in MediaWiki core, which is now used from within OpenID ?

Perhaps, can you perform some tests with your local version, and let me know ?
Comment 2 Tyler Romeo 2013-05-08 14:15:31 UTC 
I'm referring to how even when $wgSecureLogin is true, the Special:OpenIDLogin page (and the entire login process) still can take place over HTTP. Also, you can have HTTP providers even when $wgSecureLogin is enabled.
Comment 3 T. Gries 2013-10-03 08:11:10 UTC 
*** Bug 54512 has been marked as a duplicate of this bug. ***
Comment 4 Brad Jorsch 2013-10-03 14:04:04 UTC 
Since bug 54512 has been marked as a duplicate of this, I'll note here that in addition to Special:OpenIDLogin the various URLs returned by Special:OpenIDXRDS also need to not fail if the forceHTTPS cookie might be set. See that bug for details.
Comment 5 T. Gries 2013-10-03 14:07:57 UTC 

*** This bug has been marked as a duplicate of bug 54512 ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links