Last modified: 2014-10-16 11:24:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T73716, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 71716 - If coming from a non-secure website to a secured login, if force ssl is not enabled, it should return to the non-secure website.
If coming from a non-secure website to a secured login, if force ssl is not e...
Status: PATCH_TO_REVIEW
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.23.5
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on: 40541
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-06 19:27 UTC by Stephen Liang
Modified: 2014-10-16 11:24 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stephen Liang 2014-10-06 19:27:11 UTC 
So looks like there's a bug if a mediawiki site has https enabled but doesn't want https anywhere other than login. So if the client comes via non-secure and goes to login with a secured wiki, then proceeds to login (and hasn't chosen to force SSL), the site continues to be in SSL.

Expected behavior: If a client logs in from non-ssl and the wiki has SSL enabled, and the client has not set "force ssl", the client should return to the non-secure wiki.

This patch should fix that behavior since the 'fromhttp' parameter wasn't being sent back to the post page properly:

https://gerrit.wikimedia.org/r/#/c/164882/
Comment 1 Gerrit Notification Bot 2014-10-06 19:40:18 UTC 
Change 165080 had a related patch set uploaded by Stephenliang:
If a user logs in while not on https, then the user should be sent back to the non-secure website if they did not explicitly choose to stay on the secure site

https://gerrit.wikimedia.org/r/165080
Comment 2 Chris Steipp 2014-10-06 22:00:48 UTC 
Is this report about MediaWiki, or a particular WMF site (so mediawiki + centralauth)?

If it's just mediawiki, I think this is a duplicate of bug 61048, but I want to make sure I understand the issue you're seeing.
Comment 3 Stephen Liang 2014-10-06 22:29:04 UTC 
No, this is applicable to stock mediawiki as the expected behavior isn't working on my wiki.

It doesn't look like this is a duplicate of bug 61048 which is related to not being logged in after returning to http://. This one is related to going from http -> https login -> https whereas we expect it to be http -> https login -> http

With this patch applied and after testing, I can confirm that you do stay logged in even when returning to http, so it looks like bug 61048 has been fixed?
Comment 4 Nemo 2014-10-07 07:14:08 UTC 
This is bug 40541 once again.
What version of MediaWiki are you running? We had problems getting rid of this bug on OSM wiki too... I guess the underlying code is fragile.
Comment 5 Stephen Liang 2014-10-07 16:13:07 UTC 
I'm running version Mediawiki 1.23.5 (stock).
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links