Maniphest T107604

Improve $wgSecureLogin=true codepaths to efficiently co-exist with https-only sites
Closed, DuplicatePublic
Actions

Assigned To

None

Authored By

	csteipp
	Jul 31 2015, 5:23 PM

Tags

Referenced Files

None

Subscribers

Description

Instead of setting $wgSecureLogin=false on sites that are https only (e.g., T103021 for the WMF), make the option more efficient so that it can be maintained as a backup control in case http->https redirection at the pre-application layer is broken.

Don't show user preference to "use insecure connection" for https-only sites - https://gerrit.wikimedia.org/r/#/c/217856/
Force all cookies to be set secure, reguardless of user preference, on https-only sites
Decrease the size of the forceHTTPS=1 cookie (iirc, facebook used "_s=1" when they converted to https) to minimize overhead

Related Objects

Mentioned In: T156320: $wgServer with initial https:// does not force HTTPS (wgSecureLogin)
Mentioned Here: T103021: Switch $wgSecureLogin to false for WMF wikis where https is forced

Event Timeline

csteipp created this task.Jul 31 2015, 5:23 PM

csteipp raised the priority of this task from to Medium.

csteipp updated the task description. (Show Details)

csteipp added projects: MediaWiki-extensions-CentralAuth, MediaWiki-User-login-and-signup.

csteipp added a subscriber: csteipp.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 31 2015, 5:23 PM

csteipp updated the task description. (Show Details)Jul 31 2015, 9:38 PM

csteipp set Security to None.

Krinkle closed this task as a duplicate of T156320: $wgServer with initial https:// does not force HTTPS (wgSecureLogin).Apr 28 2017, 10:16 PM

Krinkle mentioned this in T156320: $wgServer with initial https:// does not force HTTPS (wgSecureLogin).

MarcoAurelio moved this task from Incoming to Done on the MediaWiki-extensions-CentralAuth board.Nov 22 2017, 9:46 AM