Page MenuHomePhabricator

Improve $wgSecureLogin=true codepaths to efficiently co-exist with https-only sites
Closed, DuplicatePublic


Instead of setting $wgSecureLogin=false on sites that are https only (e.g., T103021 for the WMF), make the option more efficient so that it can be maintained as a backup control in case http->https redirection at the pre-application layer is broken.

  • Don't show user preference to "use insecure connection" for https-only sites -
  • Force all cookies to be set secure, reguardless of user preference, on https-only sites
  • Decrease the size of the forceHTTPS=1 cookie (iirc, facebook used "_s=1" when they converted to https) to minimize overhead