Last modified: 2014-05-22 14:41:53 UTC
While testing another preferences patch, I found that stock mediawiki is no longer respecting the preference to disable https after login when wgSecureLogin is set. * User is redirected to https when they click login, and the url parameter "fromhttp=1" is added. * User logs in (doesn't seem to matter if remember me is selected or not) * User is logged in, and cookies are set *for encrypted connections only* * User does *not* get a forceHTTPS cookie * User is redirected to the https version of the page where they clicked login Obviously, if the user types in an http:// url, they are no longer logged into the site since the cookie are set for https calls only. CentralAuth correctly handles the preference, so most users on WMF wikis are not affected. But we should get this fixed.
Related: https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_%28technical%29&oldid=595129084#Forced_.22https.22_on_wikis
Wondering if this creates bug 54350. Anybody planning to work on this?
So does anybody knows if this is still a problem nowadays? And if this is still high priority?
I'm still seeing it. Since it doesn't effect most WMF wikis, and I haven't heard of anyone else affected, normal priority is probably fine.
Change 134756 had a related patch set uploaded by CSteipp: WIP: Respect wgForceHttps on login https://gerrit.wikimedia.org/r/134756