When a user logs out on a single wiki (not included in a wiki farm) the forceHTTPS cookie is deleted. In the Wikimedia environment, login.wikimedia.org sets top-domain forceHTTPS cookies (.wikipedia.org, .wikiversity.org, etc) which are not deleted when the user logs out and therefore s/he is still redirected to HTTPS as anonymous user; even if s/he logs in again after having unckecked the preference "Always use a secure connection when logged in" s/he still is redirected to HTTPS since the global forceHTTPS cookie is still here. So these global forceHTTPS cookies should be deleted when the user logs out. The relevant HTTP headers are:
Login from the specific wiki (here frwiki):
Set-Cookie: frwikiforceHTTPS=true; expires=Sat, 28-Sep-2013 00:49:37 GMT;
path=/; httponly
Continuation of the login, from login.wikimedia.org:
Set-Cookie: frwikiforceHTTPS=1; expires=Sat, 28-Sep-2013 00:49:37 GMT;
path=/; domain=.wikipedia.org; httponly
Logout (specific wiki):
Set-Cookie: frwikiforceHTTPS=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;
path=/; secure; httponly
I originally reported this bug on bug 53379 but this one was focused on a user interaction issue rather than on a real forceHTTPS cookie issue (it was a single wiki); my first remarks are there. I mistakenly made a diagnosis and proposed a solution, but the real bug is this one.
Version: master
Severity: major