Another issue seems to be that because cookies are
protected under
SSL, once the client is directed back to the non-SSL site they cannot
access any cookie created during the login. This is easily disabled
but I'm wondering if it is wise to do so.
When a server sets a cookie in an HTTP response, it can optionally be marked
'secure' - if so, the browser will only return the cookie on subsequent
requests IF the connection is over HTTPS.
Cookies may be marked secure or not independently of whether the request is
HTTP or HTTPS. It sounds like in your case, the server is adding the
'secure' flag.
More info available here:
http://www.cookiecentral.com/faq/#3.3
Good luck!
-- Jim R. Wilson (jimbojw)
On 8/11/07, Michael B Allen <ioplex(a)gmail.com> wrote:
>
> Hi,
>
> I have a plugin for authenticating clients against the central
> directory on large Intranets. In this environment it is not ok to use
> directory passwords within an insecure login form. These passwords
> must be encrypted.
>
> I would like to create a plugin that requires HTTPS when calling
> SpecialUserlogin with action=submitlogin.
>
> Right now I'm looking at somehow affecting the result of
> $titleObject->getLocalUrl so that the https:// protocol may be
> injected. I have not quite determined how to direct the client back to
> the non-SSL site. Of course Location headers are an option [1] but I
> am worried that they might interfere with Single-Sign-On and other
> "autoAuthenticate" apparatus and in general they should, in theory,
> not be necessary.
>
Another issue seems to be that because cookies are
protected under
SSL, once the client is directed back to the non-SSL site they cannot
access any cookie created during the login. This is easily disabled
but I'm wondering if it is wise to do so.
>
> Does anyone have some comments to add about this problem?
>
> Mike
>
> [1] I am aware of the following page but I would explore all options.
>
>
http://meta.wikimedia.org/wiki/Help:Configuration_tips_and_tricks#HTTPS_on_…
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l(a)lists.wikimedia.org
>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>