Page MenuHomePhabricator

forceHTTPS session cookie placed even with HTTPS opt-out set
Closed, ResolvedPublic


Forced secure connection...again...[edit]

Even though the "always use a secure connection" box is unchecked, I'm being redirected to https:// no matter what I do on each and every page. This is becoming bothersome. - The Bushranger One ping only 22:43, 25 September 2013 (UTC)

Which browser are you using? If Firefox, try zapping all the forceHTTPS cookies, as suggested a few weeks back. --Redrose64 (talk) 23:09, 25 September 2013 (UTC)

I'm using FF22. I tried that - but there was no forceHTTPS cookie after I logged out per the directions there. There was one that existed while I was logged in, and I deleted it while logged in - and was then able to navigate using http://...however, as soon as I signed out and back in again, I was right back stuck on https://. This is a Wikipedia issue, not a my-browser isssue, as it's force-feeding me the forceHTTPS cookie every time I log in, even though it was just fine on http:// this morning. - The Bushranger One ping only 23:25, 25 September 2013 (UTC)

I tried deleting and had similar problems - it's also force feeding me that cookie every time I log in. Why do the technical people have meddle so... and not tell us. Dpmuk (talk) 06:07, 26 September 2013 (UTC)

Version: master
Severity: normal



Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:16 AM
bzimport set Reference to bz54626.
bzimport added a subscriber: Unknown Object (MLST).

Change 86101 had a related patch set uploaded by Anomie:
Explicitly clear forceHTTPS cookie when insecure

Change 86101 merged by jenkins-bot:
Explicitly clear forceHTTPS cookie when insecure

Marking this fixed, since the patch is merged. It looks like this just missed being included in 1.22wmf19, so it should go out to WMF wikis with 1.22wmf20. See for the schedule.

Unless, of course, Chris or someone wants to backport it (which would probably happen then on Monday).

*** Bug 55368 has been marked as a duplicate of this bug. ***

Is this in fact in wmf20? I don't see it in the release notes in

I don't know why it's not on that release notes page, but I just checked on tin and it is included in the version of CentralAuth in /a/common/php-1.22wmf20/extensions/CentralAuth.

salisria wrote:

I'm getting forced into using HTTPS again today, so I'm reopening this bug. Not only that, but clearing the cookies doesn't help. If do that, then I get the popup message:
Central login
You are centrally logged in as XXXXXXX. Reload the page to apply your user settings.

And 15 different new HTTPS cookies added:
commons, incubator, login, mediawiki, meta, species, wikibooks, wikidata, wikinews, wikipedia, wikiquote, wikisource, wikiversity, wikivoyage, and wiktionary.

I am using Firefox 24.0.

salisria wrote:

Just realized something. One of the cookies was "". If I remember correctly, then before there were separate cookies for,, etc. Did someone do an optimization to use only one cookie per domain and then forget to give us the ability to opt out since there are no preferences users can set on "", just on the individual sites?

salisria wrote:

Okay, just tried one more thing. Clearing the cookies, logging out, and logging back in. That worked. But still, I should not have ever gotten into the state I was in of it forcing me into HTTPS, so something is still wonky, even if intermittently so.

If you can reproduce this now that you've logged out and logged back in, please file a new bug with specific instructions on reproducing.

Confirmed fixed in a Chrome private browser session with HTTPS disabled.

salisria wrote:

I have managed to reproduce it and this time noticed the trigger. Using Google Translate on a Wikipedia page. I have filed a new bug, Bug 55887.