Support Strict Secure Cookies
Open, MediumPublic
Actions

Assigned To

None

Authored By

	Tgr
	Mar 14 2017, 2:07 AM

Description

Chrome is about to support a new security feature called Strict Secure Cookies which prevents secure cookies from being created or overwritten via HTTP. When a MediaWiki installation supports both HTTP and HTTPS and has $wgSecureLogin off, this change will break HTTP login on machines which were used for HTTPS login in the past.

The easy fix is to splice the protocol into the cookie name. The nice fix is to murder $wgSecureLogin for which IMO there is no good reason to support in 2017. Sites which support both HTTP and HTTPS should never log users in via HTTP, period. (The most recent Chrome and Firefox versions even display a warning when you try to type onto a password form field on a HTTP connection.)

Event Timeline

Tgr created this task.Mar 14 2017, 2:07 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2017, 2:07 AM

• Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM

Aklapper removed a project: Security-Core.Nov 27 2019, 12:42 PM

• chasemp triaged this task as Medium priority.Dec 9 2019, 5:18 PM

• chasemp added a project: Security.Feb 10 2020, 10:58 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM

Support Strict Secure CookiesOpen, MediumPublicActions

Description

Event Timeline

Support Strict Secure Cookies
Open, MediumPublic
Actions