Page MenuHomePhabricator

If coming from a non-secure website to a secured login, if force ssl is not enabled, it should return to the non-secure website.
Closed, ResolvedPublic

Description

Author: bugzillawiki

Description:
So looks like there's a bug if a mediawiki site has https enabled but doesn't want https anywhere other than login. So if the client comes via non-secure and goes to login with a secured wiki, then proceeds to login (and hasn't chosen to force SSL), the site continues to be in SSL.

Expected behavior: If a client logs in from non-ssl and the wiki has SSL enabled, and the client has not set "force ssl", the client should return to the non-secure wiki.

This patch should fix that behavior since the 'fromhttp' parameter wasn't being sent back to the post page properly:

https://gerrit.wikimedia.org/r/#/c/164882/


Version: 1.23.5
Severity: normal

Details

Reference
bz71716

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:49 AM
bzimport set Reference to bz71716.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Oct 6 2014, 7:27 PM

Change 165080 had a related patch set uploaded by Stephenliang:
If a user logs in while not on https, then the user should be sent back to the non-secure website if they did not explicitly choose to stay on the secure site

https://gerrit.wikimedia.org/r/165080

Is this report about MediaWiki, or a particular WMF site (so mediawiki + centralauth)?

If it's just mediawiki, I think this is a duplicate of bug 61048, but I want to make sure I understand the issue you're seeing.

bugzillawiki wrote:

No, this is applicable to stock mediawiki as the expected behavior isn't working on my wiki.

It doesn't look like this is a duplicate of bug 61048 which is related to not being logged in after returning to http://. This one is related to going from http -> https login -> https whereas we expect it to be http -> https login -> http

With this patch applied and after testing, I can confirm that you do stay logged in even when returning to http, so it looks like bug 61048 has been fixed?

This is bug 40541 once again.
What version of MediaWiki are you running? We had problems getting rid of this bug on OSM wiki too... I guess the underlying code is fragile.

bugzillawiki wrote:

I'm running version Mediawiki 1.23.5 (stock).

Change 165080 merged by jenkins-bot:
If a user logs in while not on https, then the user should be sent back to the non-secure website.

https://gerrit.wikimedia.org/r/165080

csteipp set Security to None.