Page MenuHomePhabricator

Switch $wgSecureLogin to false for WMF wikis where https is forced
Closed, DeclinedPublic

Description

Having $wgSecureLogin=true enables code that handles redirecting the user to https for sensitive pages (login page, etc), allows opting out of https by setting cookies insecure, and sets the forceHTTPS cookie so the application can redirect users who only have cookies set securely.

Turning this to false on WMF wikis will remove the extra overhead.

Event Timeline

csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Security-General.
csteipp added subscribers: csteipp, faidon.

Change 219265 had a related patch set uploaded (by BBlack):
No need for wgSecureLogin on our wikis, HTTPS is forced everywhere

https://gerrit.wikimedia.org/r/219265

Change 219265 merged by BBlack:
No need for wgSecureLogin on our wikis, HTTPS is forced everywhere

https://gerrit.wikimedia.org/r/219265

BBlack claimed this task.

Change 227740 had a related patch set uploaded (by BBlack):
Revert "No need for wgSecureLogin on our wikis, HTTPS is forced everywhere"

https://gerrit.wikimedia.org/r/227740

Given we had a related incident with a redirect regex bug recently, it would be better to leave this in place for now, so reverting the change. We can revisit this when we get past all the other hurdles preventing a simple unconditional redirect/403 with no exceptions at the nginx layer ( T107236 ) if we want.

Change 227740 merged by BBlack:
Revert "No need for wgSecureLogin on our wikis, HTTPS is forced everywhere"

https://gerrit.wikimedia.org/r/227740

Let's not do this.

We do need to clean up a few things (user preference, reduce the size of the forceHTTPS cookie) so the overhead is less.