Page MenuHomePhabricator

Stop sending the forceHTTPS cookie, make the HTTPS redirect unconditional
Closed, ResolvedPublic

Description

The forceHTTPS cookie is cruft left over from an intermediate stage of the HTTP to HTTPS migration. Usage of forceHTTPS in CentralAuth will break in July 2020 due to a browser policy change which requires all cross-domain cookies to have the Secure attribute.

History

forceHTTPS was introduced in September 2012 rMW5801da5f86e1: (bug 29898) Set cookie to force HTTPS from HTTP to support the wpStickHTTPS checkbox on the login form.

The checkbox was later replaced by a user preference, and MediaWiki::main() checks the preference directly. However, with $wgCookieSecure, the user is not logged in before they are redirected, so the separate cookie needed to be retained. The preference is hidden in WMF production using $wgHiddenPrefs, citing T102245.

CentralAuth also sends a forceHTTPS cookie whenever it sends a session cookie with the Secure option. The core and extension views of the cookie were eventually integrated to fix conflicts between them.

Removal of the forceHTTPS cookie was discussed as part of T110353. The only objection was that someone (outside of WMF) might still want it. I think that is unlikely at this point. Browser vendors are ratcheting up the pressure on web developers to switch to HTTPS. By far the easiest solution for a small wiki is to just switch unconditionally.

Proposal

  • Add $wgForceHTTPS. This will make the HTTP -> HTTPS redirect be unconditional.
  • Do not send the forceHTTPS cookie when $wgForceHTTPS is true.

Future work

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 23 2020, 4:58 AM
tstarling triaged this task as High priority.Jun 23 2020, 5:02 AM
tstarling added subscribers: Bawolff, Krinkle, Nirmos and 2 others.
tstarling updated the task description. (Show Details)Jun 23 2020, 5:07 AM
tstarling updated the task description. (Show Details)Jun 23 2020, 5:10 AM

A patch will be uploaded soon.

There is the question of requests to entry points other than index.php. In production, they are all redirected by Varnish. But MediaWiki does not redirect them, so any internal requests that skip varnish will currently be served. If $wgForceHTTPS is enforced consistently, these would redirect or fail, potentially having a production impact.

This comment was removed by Krinkle.

Due to a linebreak, these commit wasn't reported associated in code review:

Change by @tstarling was merged:

[mediawiki/core] Introduce $wgForceHTTPS

https://gerrit.wikimedia.org/r/608504

Change by @tstarling was merged:

[mediawiki/extensions/CentralAuth] Support the new core config $wgForceHTTPS

https://gerrit.wikimedia.org/r/608505

Change 610127 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Beta Cluster)

https://gerrit.wikimedia.org/r/610127

Change 610147 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (group0)

https://gerrit.wikimedia.org/r/610147

Change 610148 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (group1)

https://gerrit.wikimedia.org/r/610148

Change 610149 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (group2; all wikis)

https://gerrit.wikimedia.org/r/610149

Change 610127 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Beta Cluster)

https://gerrit.wikimedia.org/r/610127

Krinkle claimed this task.Jul 9 2020, 5:19 PM

Change 610147 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 1)

https://gerrit.wikimedia.org/r/610147

Change 610148 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 2)

https://gerrit.wikimedia.org/r/610148

Change 612395 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 3)

https://gerrit.wikimedia.org/r/612395

Change 612396 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 4)

https://gerrit.wikimedia.org/r/612396

Change 612395 merged by Krinkle:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 3)

https://gerrit.wikimedia.org/r/612395

Change 612396 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable wgForceHTTPS and wgCookieSameSite='None' (Phase 4)

https://gerrit.wikimedia.org/r/612396

Krinkle closed this task as Resolved.Jul 14 2020, 2:37 PM

Not expecting a fix, but just noting the backport to 1.31 is faulty: PHP Notice: Undefined variable: wgRedirectOnLogin in /[...]/includes/specials/helpers/LoginHelper.php on line 68