Page MenuHomePhabricator
Create Task
Maniphest T55538

Logged users redirected to HTTPS only on some wikis
Closed, ResolvedPublic
Actions

Description

In the recent deployment of HTTPS the users who asked for being redirected to HTTPS are given global forceHTTPS cookies to be redirected to HTTPS on (theoretically) all wiki projects: Wikipedia, Wikisource, etc. In the current setup these global forceHTTPS cookies are set on global domains (.wikipedia.org, etc) but they are prefixed by the original wiki prefix (e.g. frwikiforceHTTPS) or by English-language prefixes (e.g. enwikisourceforceHTTPS), therefore the other language wikis are not redirected to HTTPS.

I guess that this is a bug since some languages (English) are redirected to HTTPS and the others are not, at least it is non-intuitive from a user point of view.

This bug is related to bug 53536 about the absence of removing of the global forceHTTPS cookies in the Wikimedia environment.

Version: wmf-deployment
Severity: normal

Details

Reference
bz53538

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:03 AM
bzimport added a project: HTTPS.
bzimport set Reference to bz53538.
Seb35 created this task.Aug 29 2013, 2:27 PM
Seb35 added a comment.Aug 29 2013, 3:05 PM

A solution for this bug would be to set non-prefixed forceHTTPS cookies (name="forceHTTPS") in the global domains.

This solution should be implemented in MediaWiki to check the existence of non-prefixed forceHTTPS cookies (Wiki::main) and in CentralAuthUser::setGlobalCookies.

This solution would facilitate the resolution of bug 53536 because all domains would have the same cookie, as opposed to the current situation where the original wiki project (where the user logged in) is prefixed by the original language wiki (e.g. frwikiforceHTTPS set on .wikipedia.org domain) and the other wiki projects prefixed by the English-language wikis (e.g. enwikisourceforceHTTPS).

gerritbot added a comment.Aug 29 2013, 8:41 PM

Change 81864 had a related patch set uploaded by CSteipp:
Remove prefix from forceHTTPS cookie

https://gerrit.wikimedia.org/r/81864

gerritbot added a comment.Aug 29 2013, 8:56 PM

Change 81864 merged by jenkins-bot:
Remove prefix from forceHTTPS cookie

https://gerrit.wikimedia.org/r/81864

gerritbot added a comment.Aug 29 2013, 8:57 PM

Change 81867 had a related patch set uploaded by CSteipp:
Remove prefix from forceHTTPS cookie

https://gerrit.wikimedia.org/r/81867

gerritbot added a comment.Aug 29 2013, 9:02 PM

Change 81867 merged by jenkins-bot:
Remove prefix from forceHTTPS cookie

https://gerrit.wikimedia.org/r/81867

Seb35 added a comment.Aug 29 2013, 10:54 PM

Thanks for your changes.

These changes will temporary break the redirections from HTTP to HTTPS for logged users when it will be deployed until the next login. If possible I think it is better to let wikitech ambassadors know this fact to reduce surprises of the editors; the next Tech News will be probably issued in English tommorow evening, is there an expected deployment date for these two changes? (I don’t know how it is scheduled)

csteipp added a comment.Aug 29 2013, 11:17 PM

It will go out with wmf16, on Sept 5th, unless we push it out early. I could also add a check for the old cookie name.

Seb35 added a comment.Aug 30 2013, 12:18 AM

If the old cookie is kept it will be until the end of September (4-5 WMF deployments) before natural expiration, and the code for the old cookie will become useless. Perhaps it is better to keep the old cookie to make smoother the transition? (I have no real opinion.)

gerritbot added a comment.Aug 31 2013, 12:01 AM

Change 82065 had a related patch set uploaded by CSteipp:
Also redirect if prefixed https cookie is preset

https://gerrit.wikimedia.org/r/82065

gerritbot added a comment.Sep 1 2013, 4:41 PM

Change 82065 merged by jenkins-bot:
Also redirect if prefixed https cookie is preset

https://gerrit.wikimedia.org/r/82065

Aklapper added a comment.Sep 2 2013, 12:22 PM

(In reply to comment #10)

Change 82065 merged by jenkins-bot:
Also redirect if prefixed https cookie is preset

Is more work needed to fix this bug report? If so, what?

csteipp added a comment.Sep 4 2013, 7:02 PM

The remaining fixes will be deployed with 1.22wmf16, so I think we can close the bug. If we need to deploy these sooner, we can schedule a time to backport and deploy the changes.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL