On 3 October 2011 21:18, Brion Vibber <brion(a)pobox.com> wrote:
On Mon, Oct 3, 2011 at 12:13 PM, Ashar Voultoiz
<hashar+wmf(a)free.fr>
wrote:
Can you possible enable $wgSecureLogin on all
wiki? The feature let you
login under HTTPS when you are come from HTTP.
Man page:
http://www.mediawiki.org/wiki/Manual:$wgSecureLogin
Revisions:
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/75585
Hmm, this seems to indicate it will return you to http: after
authenticating; this is an unsafe practice which I would recommend strongly
against.
If you log in on HTTPS, we want to make sure that no session data (eg login
cookies) can leak to HTTP -- where someone on your wireless network could
hijack your session, delete a thousand pages on Wikipedia, and get your
account locked out.
The $wgSecureLogin thing was and is a treatment to a symptom of the problem,
not its cause. Once the bugs brion mentions are worked through, we should
be encouraging all logged-in users to go to, and stay with, SSL. What
$wgSecureLogin should do is prompt all visits to Special:UserLogin to be
redirected to https, and *not* send them back.
--HM