Page MenuHomePhabricator

Bug: Login page does not default to HTTPS
Closed, ResolvedPublic

Description

I have received some informal complaints that indicate that the login page at the shop, is not secure. This should probably redirect to HTTPS.

Event Timeline

K4-713 created this task.Apr 21 2015, 10:32 PM
K4-713 raised the priority of this task from to Needs Triage.
K4-713 updated the task description. (Show Details)
K4-713 added a project: Shop-Theme.
K4-713 added a subscriber: K4-713.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 21 2015, 10:32 PM
K4-713 assigned this task to HuiZSF.Apr 21 2015, 10:33 PM
K4-713 set Security to None.
K4-713 added subscribers: vshchepakina, violetto.

Hi @K4-713, @vshchepakina and @violetto

I have tried to track login action, it submits user name and password to https://wikimedia.myshopify.com/account/login and then redirects me to store.wikimedia.org/account without https.

When I manually access https://store.wikimedia.org/account, it redirects me to login page. That means, the cookies generated by last login action has no effect... I have not idea about this...

I also tried to force login action to submit my username and password to https://store.wikimedia.org/account/login, I am also redirected to store.wikimedia.org/account. This time, however, when I manually access https://store.wikimedia.org/account I can stay on my account page and retrieve my information, the cookies work!

So my thought is

  1. Change the login action from https://wikimedia.myshopify.com/account/login to https://store.wikimedia.org/account/login, to get cookies work for https.
  2. Then we can add a setting to redirect users to a page with https.

However, I didn't find the a place to set up the login action in theme files.

Any suggestions please?

@K4-713 do you have any suggestions?

vshchepakina moved this task from Backlog to Next Up on the Shop-Theme board.Jun 3 2015, 5:09 PM

@K4-713 @vshchepakina
I have updated login page liquid and added a JS snippet to force all access to be redirected to https.
However, this is not the best solution, it may affect SEO of the website.
Please figure out a way to achieve this request on the server side.

Aklapper removed HuiZSF as the assignee of this task.Jun 24 2017, 11:46 AM
Aklapper added a subscriber: HuiZSF.

@HuiZSF: I am resetting the assignee of this task because there have not been any updates for the last two years. Resetting the assignee avoids the impression that somebody is working on this task. Please claim this task again if/when you plan to work on it (via Add Action...Assign / Claim in the dropdown menu). Thanks!

Pcoombe closed this task as Resolved.Apr 26 2018, 9:32 PM
Pcoombe claimed this task.
Pcoombe added a subscriber: Pcoombe.

This was solved by adding HSTS (see also T128559).