Page MenuHomePhabricator

Add a cookie-based preference which redirects all http requests to https
Closed, ResolvedPublic

Description

Currently if a user is logging in on https page, when he's coming to Wikipedia by following a link on a 3rd website which points to http version, the page will be in unlogged in state. If he failed to realize this and edited page, his Wikipedia page browsing history and IP address may be leaked. If he realized this, he have to change http to https again and again (unless he's using a 3rd party browser extension).

There can be a resolution: when a user is logging in on https page, set a insecure cookie which says "redirect me to https page", and clear it when he's logging out. In this way, the only disadvantage I can see is one more request and the info for a possible attacker: there's a logged in user at this IP reading this page by following some link on this website.


Version: unspecified
Severity: enhancement

Details

Reference
bz31432

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 21 2014, 11:50 PM
bzimport added a project: HTTPS.
bzimport set Reference to bz31432.
bzimport added a subscriber: Unknown Object (MLST).

This is related to, if not a duplicate of, bug 29898.

(In reply to comment #1)

This is related to, if not a duplicate of, bug 29898.

Duping and copying relevant information over.

  • This bug has been marked as a duplicate of bug 29898 ***