Page MenuHomePhabricator

[SUGGESTION] Login page doesn't respect $wgSecureLogin
Closed, ResolvedPublic

Description

When $wgSecureLogin is set to true, the OpenID login page should redirect the user to HTTPS so that all transactions occur over TLS.


Version: master
Severity: normal

Details

Reference
bz44353

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:40 AM
bzimport set Reference to bz44353.

(In reply to comment #0)

When $wgSecureLogin is set to true, the OpenID login page should redirect the
user to HTTPS so that all transactions occur over TLS.

@Tyler:

Isn't that a matter and task of the login code in MediaWiki core, which is now used from within OpenID ?

Perhaps, can you perform some tests with your local version, and let me know ?

I'm referring to how even when $wgSecureLogin is true, the Special:OpenIDLogin page (and the entire login process) still can take place over HTTP. Also, you can have HTTP providers even when $wgSecureLogin is enabled.

  • Bug 54512 has been marked as a duplicate of this bug. ***
Anomie added a comment.Oct 3 2013, 2:04 PM

Since bug 54512 has been marked as a duplicate of this, I'll note here that in addition to Special:OpenIDLogin the various URLs returned by Special:OpenIDXRDS also need to not fail if the forceHTTPS cookie might be set. See that bug for details.

  • This bug has been marked as a duplicate of bug 54512 ***
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptJan 28 2016, 6:06 PM