Central login notice appears on unencrypted API format=*fm pages, where reloading does not affect login status
Open, LowPublic

Description

@Halfak and I noticed this earlier.

  • Log in to a Wikimedia wiki
  • Browse to /w/api.php?action=query&meta=userinfo via HTTP (not HTTPS)
  • See "You are centrally logged in. Reload the page to apply your user settings."
  • Reload page
  • No change. The login would've happened over HTTPS but this is unencrypted.
  • Load page via HTTPS instead
  • Now you're shown as logged in
Krenair created this task.Mar 27 2015, 12:32 AM
Krenair updated the task description. (Show Details)
Krenair raised the priority of this task from to Needs Triage.
Krenair added subscribers: Krenair, Halfak.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 27 2015, 12:32 AM
Aklapper triaged this task as Low priority.Mar 30 2015, 10:24 AM
jayvdb added a subscriber: jayvdb.

The stated sequence cant occur any more due to HTTPS rollout, so maybe this bug is solved. (Also this is a bit like T57887: Using Google Translate for a Wikipedia page causes forceHTTPS session cookies to be placed, which still occurs)

BBlack set Security to None.
BBlack added a subscriber: BBlack.

The stated sequence cant occur any more due to HTTPS rollout, so maybe this bug is solved. (Also this is a bit like T57887: Using Google Translate for a Wikipedia page causes forceHTTPS session cookies to be placed, which still occurs)

The ticket isn't about WMF sites though, it's about MediaWiki (not all other sites are forcing HTTPS).

Restricted Application added a project: Operations. · View Herald TranscriptFeb 23 2016, 6:12 PM
BBlack moved this task from Triage to BadHerald on the Traffic board.Oct 4 2016, 1:44 PM