Page MenuHomePhabricator

Central login notice appears on unencrypted API format=*fm pages, where reloading does not affect login status
Open, LowPublic

Description

@Halfak and I noticed this earlier.

  • Log in to a Wikimedia wiki
  • Browse to /w/api.php?action=query&meta=userinfo via HTTP (not HTTPS)
  • See "You are centrally logged in. Reload the page to apply your user settings."
  • Reload page
  • No change. The login would've happened over HTTPS but this is unencrypted.
  • Load page via HTTPS instead
  • Now you're shown as logged in

Event Timeline

Krenair raised the priority of this task from to Needs Triage.
Krenair updated the task description. (Show Details)
Krenair added subscribers: Krenair, Halfak.
jayvdb added a subscriber: jayvdb.

The stated sequence cant occur any more due to HTTPS rollout, so maybe this bug is solved. (Also this is a bit like T57887: Using Google Translate for a Wikipedia page causes forceHTTPS session cookies to be placed, which still occurs)

BBlack set Security to None.
BBlack added a subscriber: BBlack.

The stated sequence cant occur any more due to HTTPS rollout, so maybe this bug is solved. (Also this is a bit like T57887: Using Google Translate for a Wikipedia page causes forceHTTPS session cookies to be placed, which still occurs)

The ticket isn't about WMF sites though, it's about MediaWiki (not all other sites are forcing HTTPS).