Page MenuHomePhabricator

Bug: Login page does not default to HTTPS
Closed, ResolvedPublic


I have received some informal complaints that indicate that the login page at the shop, is not secure. This should probably redirect to HTTPS.

Event Timeline

K4-713 raised the priority of this task from to Needs Triage.
K4-713 updated the task description. (Show Details)
K4-713 added a project: Wikipedia-Store-Theme.
K4-713 subscribed.
K4-713 set Security to None.
K4-713 added subscribers: vshchepakina, violetto.

Hi @K4-713, @vshchepakina and @violetto

I have tried to track login action, it submits user name and password to and then redirects me to without https.

When I manually access, it redirects me to login page. That means, the cookies generated by last login action has no effect... I have not idea about this...

I also tried to force login action to submit my username and password to, I am also redirected to This time, however, when I manually access I can stay on my account page and retrieve my information, the cookies work!

So my thought is

  1. Change the login action from to, to get cookies work for https.
  2. Then we can add a setting to redirect users to a page with https.

However, I didn't find the a place to set up the login action in theme files.

Any suggestions please?

@K4-713 @vshchepakina
I have updated login page liquid and added a JS snippet to force all access to be redirected to https.
However, this is not the best solution, it may affect SEO of the website.
Please figure out a way to achieve this request on the server side.

Aklapper added a subscriber: HuiZSF.

@HuiZSF: I am resetting the assignee of this task because there have not been any updates for the last two years. Resetting the assignee avoids the impression that somebody is working on this task. Please claim this task again if/when you plan to work on it (via Add Action...Assign / Claim in the dropdown menu). Thanks!

Pcoombe claimed this task.
Pcoombe subscribed.

This was solved by adding HSTS (see also T128559).