Nah, I set $wgCookieSecure = false (if I didn't my solution would not
have worked with previous releases either).
My implementation did two things differently. First, I didn't use a
redirect to the login form. I used a hook to get the login form and
set it's action to an https based URL so that when the form was
submitted it was under HTTPS. Second, after logging in, I redirected
the user back to HTTP immediately whereas in the working code the user
is only redirected from HTTPS to HTTP when they try to subsequently
request a link that is not Special:Userlogin.
On 9/20/07, Daniel Barrett <danb(a)vistaprint.com> wrote:
I suspect the explanation is simpler than that. I
wonder if your
previous attempt did not handle the secure cookie issue mentioned in the
code...?
DanB
-----Original Message-----
From: mediawiki-l-bounces(a)lists.wikimedia.org
[mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Michael B
Allen
Sent: Thursday, September 20, 2007 2:20 PM
To: mediawiki-l(a)lists.wikimedia.org
Subject: Re: [Mediawiki-l] HTTPS for Login Only No Longer Possible with
1.11?
Hi DanB,
Well indeed that code does work. But I have to admit I'm dumb founded
as to how. If you login under HTTPS and then drop the 'S' and go to an
HTTP page, you're no longer logged in. But for some reason, if a
Location header is used for both redirecting into Special:Userlogin
and out of HTTPS immediately after logging in, the session is
maintained and user remains logged in. It seems there's a delicate
sequence that must be followed for the session to be initialized under
HTTPS when the login form is emitted and to maintain that session when
transitioning from HTTPS to HTTP.
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l