Last modified: 2013-09-10 03:27:28 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T55538, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 53538 - Logged users redirected to HTTPS only on some wikis
Logged users redirected to HTTPS only on some wikis
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
SSL related (Other open bugs)
wmf-deployment
All All
: High normal (vote)
: ---
Assigned To: Chris Steipp
:
Depends on:
Blocks: 53085
  Show dependency treegraph
 
Reported: 2013-08-29 14:27 UTC by Seb35
Modified: 2013-09-10 03:27 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Seb35 2013-08-29 14:27:34 UTC 
In the recent deployment of HTTPS the users who asked for being redirected to HTTPS are given global forceHTTPS cookies to be redirected to HTTPS on (theoretically) all wiki projects: Wikipedia, Wikisource, etc. In the current setup these global forceHTTPS cookies are set on global domains (.wikipedia.org, etc) but they are prefixed by the original wiki prefix (e.g. frwikiforceHTTPS) or by English-language prefixes (e.g. enwikisourceforceHTTPS), therefore the other language wikis are not redirected to HTTPS.

I guess that this is a bug since some languages (English) are redirected to HTTPS and the others are not, at least it is non-intuitive from a user point of view.

This bug is related to bug 53536 about the absence of removing of the global forceHTTPS cookies in the Wikimedia environment.
Comment 1 Seb35 2013-08-29 15:05:53 UTC 
A solution for this bug would be to set non-prefixed forceHTTPS cookies (name="forceHTTPS") in the global domains.

This solution should be implemented in MediaWiki to check the existence of non-prefixed forceHTTPS cookies (Wiki::main) and in CentralAuthUser::setGlobalCookies.

This solution would facilitate the resolution of bug 53536 because all domains would have the same cookie, as opposed to the current situation where the original wiki project (where the user logged in) is prefixed by the original language wiki (e.g. frwikiforceHTTPS set on .wikipedia.org domain) and the other wiki projects prefixed by the English-language wikis (e.g. enwikisourceforceHTTPS).
Comment 2 Gerrit Notification Bot 2013-08-29 20:41:14 UTC 
Change 81864 had a related patch set uploaded by CSteipp:
Remove prefix from forceHTTPS cookie

https://gerrit.wikimedia.org/r/81864
Comment 3 Gerrit Notification Bot 2013-08-29 20:56:27 UTC 
Change 81864 merged by jenkins-bot:
Remove prefix from forceHTTPS cookie

https://gerrit.wikimedia.org/r/81864
Comment 4 Gerrit Notification Bot 2013-08-29 20:57:12 UTC 
Change 81867 had a related patch set uploaded by CSteipp:
Remove prefix from forceHTTPS cookie

https://gerrit.wikimedia.org/r/81867
Comment 5 Gerrit Notification Bot 2013-08-29 21:02:56 UTC 
Change 81867 merged by jenkins-bot:
Remove prefix from forceHTTPS cookie

https://gerrit.wikimedia.org/r/81867
Comment 6 Seb35 2013-08-29 22:54:34 UTC 
Thanks for your changes.

These changes will temporary break the redirections from HTTP to HTTPS for logged users when it will be deployed until the next login. If possible I think it is better to let wikitech ambassadors know this fact to reduce surprises of the editors; the next Tech News will be probably issued in English tommorow evening, is there an expected deployment date for these two changes? (I don’t know how it is scheduled)
Comment 7 Chris Steipp 2013-08-29 23:17:09 UTC 
It will go out with wmf16, on Sept 5th, unless we push it out early. I could also add a check for the old cookie name.
Comment 8 Seb35 2013-08-30 00:18:36 UTC 
If the old cookie is kept it will be until the end of September (4-5 WMF deployments) before natural expiration, and the code for the old cookie will become useless. Perhaps it is better to keep the old cookie to make smoother the transition? (I have no real opinion.)
Comment 9 Gerrit Notification Bot 2013-08-31 00:01:21 UTC 
Change 82065 had a related patch set uploaded by CSteipp:
Also redirect if prefixed https cookie is preset

https://gerrit.wikimedia.org/r/82065
Comment 10 Gerrit Notification Bot 2013-09-01 16:41:09 UTC 
Change 82065 merged by jenkins-bot:
Also redirect if prefixed https cookie is preset

https://gerrit.wikimedia.org/r/82065
Comment 11 Andre Klapper 2013-09-02 12:22:07 UTC 
(In reply to comment #10)
> Change 82065 merged by jenkins-bot:
> Also redirect if prefixed https cookie is preset

Is more work needed to fix this bug report? If so, what?
Comment 12 Chris Steipp 2013-09-04 19:02:38 UTC 
The remaining fixes will be deployed with 1.22wmf16, so I think we can close the bug. If we need to deploy these sooner, we can schedule a time to backport and deploy the changes.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links