2011/2/13 Ville Stadista <ville.stadista(a)gmail.com>om>:
Currently, if you login on secure you are not
logged-in on the
unencrypted site, even if I allow setting third party cookies in the
browser settings. I assume the login session is common to both
unencrypted and encrypted, so would it be possible to transfer the
session from secure.wikimedia.org? This way users could login securely
but choose to use the unencrypted site for the normal tasks.
This is not a bug, it's a feature. If you were automatically logged in
on the insecure sites when logging in on the secure site, someone
could just trick you to visit
wikipedia.org (e.g. by including an
image from
wikipedia.org on their web page, or through various other
means) and your browser will happily send your session cookies to
wikipedia.org unencrypted. If that someone happens to also be on the
same public wifi and has Firesheep running, they can now hijack your
login session.
Roan Kattouw (Catrope)