Last modified: 2013-09-10 03:27:28 UTC
In the recent deployment of HTTPS the users who asked for being redirected to HTTPS are given global forceHTTPS cookies to be redirected to HTTPS on (theoretically) all wiki projects: Wikipedia, Wikisource, etc. In the current setup these global forceHTTPS cookies are set on global domains (.wikipedia.org, etc) but they are prefixed by the original wiki prefix (e.g. frwikiforceHTTPS) or by English-language prefixes (e.g. enwikisourceforceHTTPS), therefore the other language wikis are not redirected to HTTPS. I guess that this is a bug since some languages (English) are redirected to HTTPS and the others are not, at least it is non-intuitive from a user point of view. This bug is related to bug 53536 about the absence of removing of the global forceHTTPS cookies in the Wikimedia environment.
A solution for this bug would be to set non-prefixed forceHTTPS cookies (name="forceHTTPS") in the global domains. This solution should be implemented in MediaWiki to check the existence of non-prefixed forceHTTPS cookies (Wiki::main) and in CentralAuthUser::setGlobalCookies. This solution would facilitate the resolution of bug 53536 because all domains would have the same cookie, as opposed to the current situation where the original wiki project (where the user logged in) is prefixed by the original language wiki (e.g. frwikiforceHTTPS set on .wikipedia.org domain) and the other wiki projects prefixed by the English-language wikis (e.g. enwikisourceforceHTTPS).
Change 81864 had a related patch set uploaded by CSteipp: Remove prefix from forceHTTPS cookie https://gerrit.wikimedia.org/r/81864
Change 81864 merged by jenkins-bot: Remove prefix from forceHTTPS cookie https://gerrit.wikimedia.org/r/81864
Change 81867 had a related patch set uploaded by CSteipp: Remove prefix from forceHTTPS cookie https://gerrit.wikimedia.org/r/81867
Change 81867 merged by jenkins-bot: Remove prefix from forceHTTPS cookie https://gerrit.wikimedia.org/r/81867
Thanks for your changes. These changes will temporary break the redirections from HTTP to HTTPS for logged users when it will be deployed until the next login. If possible I think it is better to let wikitech ambassadors know this fact to reduce surprises of the editors; the next Tech News will be probably issued in English tommorow evening, is there an expected deployment date for these two changes? (I don’t know how it is scheduled)
It will go out with wmf16, on Sept 5th, unless we push it out early. I could also add a check for the old cookie name.
If the old cookie is kept it will be until the end of September (4-5 WMF deployments) before natural expiration, and the code for the old cookie will become useless. Perhaps it is better to keep the old cookie to make smoother the transition? (I have no real opinion.)
Change 82065 had a related patch set uploaded by CSteipp: Also redirect if prefixed https cookie is preset https://gerrit.wikimedia.org/r/82065
Change 82065 merged by jenkins-bot: Also redirect if prefixed https cookie is preset https://gerrit.wikimedia.org/r/82065
(In reply to comment #10) > Change 82065 merged by jenkins-bot: > Also redirect if prefixed https cookie is preset Is more work needed to fix this bug report? If so, what?
The remaining fixes will be deployed with 1.22wmf16, so I think we can close the bug. If we need to deploy these sooner, we can schedule a time to backport and deploy the changes.
