Page MenuHomePhabricator
Create Task
Maniphest T94125

Central login notice appears on unencrypted API format=*fm pages, where reloading does not affect login status
Closed, DeclinedPublic
Actions

Description

@Halfak and I noticed this earlier.

  • Log in to a Wikimedia wiki
  • Browse to /w/api.php?action=query&meta=userinfo via HTTP (not HTTPS)
  • See "You are centrally logged in. Reload the page to apply your user settings."
  • Reload page
  • No change. The login would've happened over HTTPS but this is unencrypted.
  • Load page via HTTPS instead
  • Now you're shown as logged in

Related Objects

Event Timeline

Krenair created this task.Mar 27 2015, 12:32 AM
Krenair raised the priority of this task from to Needs Triage.
Krenair updated the task description. (Show Details)
Krenair added projects: MediaWiki-extensions-CentralAuth, HTTPS, MediaWiki-Action-API.
Krenair added subscribers: Krenair, Halfak.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 27 2015, 12:32 AM
Anomie moved this task from Unsorted to Needs details or plan on the MediaWiki-Action-API board.Mar 27 2015, 3:13 PM
Aklapper triaged this task as Low priority.Mar 30 2015, 10:24 AM
jayvdb added a project: HTTPS-by-default.Jun 21 2015, 8:01 AM
jayvdb subscribed.

The stated sequence cant occur any more due to HTTPS rollout, so maybe this bug is solved. (Also this is a bit like T57887: Using Google Translate for a Wikipedia page causes forceHTTPS session cookies to be placed, which still occurs)

BBlack removed a project: HTTPS-by-default.Aug 7 2015, 4:14 PM
BBlack set Security to None.
BBlack subscribed.
In T94125#1385626, @jayvdb wrote:

The stated sequence cant occur any more due to HTTPS rollout, so maybe this bug is solved. (Also this is a bit like T57887: Using Google Translate for a Wikipedia page causes forceHTTPS session cookies to be placed, which still occurs)

The ticket isn't about WMF sites though, it's about MediaWiki (not all other sites are forcing HTTPS).

Aklapper added a project: Traffic.Feb 23 2016, 6:12 PM
Restricted Application added a project: SRE. · View Herald TranscriptFeb 23 2016, 6:12 PM
BBlack moved this task from Backlog to BadHerald on the Traffic board.Oct 4 2016, 1:44 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:01 PM
Ladsgroup removed projects: SRE, Traffic.Apr 21 2021, 2:36 PM
matmarex closed this task as Declined.Oct 13 2023, 8:50 AM
matmarex subscribed.

This only affects CentralAuth in a non-WMF configuration, which we don't support.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL