I began digging to try to understand what was happening.

The high-level result is in MediaWiki::main() where $request->getSession()->shouldForceHTTPS() is false instead of true, hence the page is not redirected to its HTTPS alter ego.

In the lower levels, I focused around the session management initialisation, called from the Setup.php file (in RequestContext::getMain()->getRequest()):

• in SessionBackend::__construct() (called in SessionManager::getSessionFromInfo()) the forceHTTPS property is initialised with $info->forceHTTPS(),
• the $info variable has its value initialised with SessionProvider->newSessionInfo() in SessionManager::getEmptySessionInternal() with the first SessionProvider (CookieSessionProvider in the default configuration)
• SessionProvider->newSessionInfo() returns a new SessionInfo object with no configuration parameter involved,
• SessionInfo constructor creates a new object with, in particular, its property forceHTTPS initialised to false.

I’m not sure how the things should be done, but the config parameter $wgServer should be used in the session management, during the construction of the objects.

The session stuff is unrelated. There's a preference to indicate that the user wants to always use HTTPS, which causes CookieSessionProvider to send most cookies with the 'secure' flag and to send a 'forceHTTPS' cookie unsecure so MediaWiki can redirect. All the stuff you identified in the session handling is dealing with setting and testing for that cookie.

What you probably want to look at is that MediaWiki ignores $wgSecureLogin if $wgServer isn't protocol-relative, added in rMW8102bb87bcb2: (bug 40679) Set $wgSecureLogin to false for $wgServers with schemes. with the thinking that if you configure $wgServer as https then you're saying your wiki isn't accessible over http at all (i.e. you have a generic http→https redirector in place like WMF does).

Indeed for $wgSecureLogin, but in fact it is only a side-effect, the main point is there is no redirect from HTTP to HTTPS. And indeed a generic http→https redirector is better than a MediaWiki one.

I didn’t mention it, but the user preference 'prefershttps' has the default value 1, so when $wgServer is 'https://example.org' all parameters say the site should be HTTPS. Perhaps the thing I assumed but MediaWiki is not [currently] assuming is: “if some HTTP is coming it should redirect to HTTPS”. In fact, this is a matter of “expected behaviour”: during a transition to HTTPS, the first thing I did is to change $wgServer and if/when things are correct, force the HTTPS at the webserver-level.

Perhaps the issue is that PROTO_CURRENT should only use the current protocol if wgServer is relative. If wgServer specifies a specific protocol, than PROTO_CURRENT should use that protocol instead of the current one.

See code in MediaWiki::tryNormaliseRedirect()

Can this be opened up to public? I understand that lack of https is a security issue - but I think its unclear if this is intended behaviour or not, and I would like feedback from the larger community.

Yes, it can be public. I hesited when I opened the bug, but given it is configuration-specific and should not be the prefered method to force https, this is only a minor security issue.

Change 134756 had a related patch set uploaded (by Krinkle; owner: CSteipp):
[mediawiki/core@master] WIP: Respect wgForceHttps on login

https://gerrit.wikimedia.org/r/134756

Change 134756 abandoned by Chad:
WIP: Respect wgForceHttps on login

https://gerrit.wikimedia.org/r/134756