Hi,
I have SSL setup and working with apache and can browse the site with http or https, but does anyone know how to make mediaWiki switch to https when logging on? Or, at the very least, switch temporarily just for the login?
Thanks, Al
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 1/22/2014 10:27 AM, Al wrote:
I have SSL setup and working with apache and can browse the site with http or https, but does anyone know how to make mediaWiki switch to https when logging on? Or, at the very least, switch temporarily just for the login?
I'm not sure if this is the "right" way of doing things (it doesn't take into account non-English languages, but I run an English-only wiki), but I managed to do this with mod_rewrite. Note that I use short URLs (path /wiki/, with the "raw" path being /wikix/):
<IfModule mod_ssl.c> RewriteCond %{HTTPS} ^off$ RewriteCond %{REQUEST_URI} ^/wikix/ RewriteCond %{QUERY_STRING} title=Special:UserLogin RewriteRule ^/wikix/(.*) https://%%7BHTTP_HOST%7D/wikix/$1 [R,L] RewriteCond %{HTTPS} ^off$ RewriteRule ^/wiki/Special:UserLogin https://%%7BHTTP_HOST%7D/wiki/Special:UserLogin [R,L] </IfModule>
The first set of rules captures the query string version of the request, while the second set captures the short URL version. Also note that, in my experience, once the wiki has been put in HTTPS mode, it tends to like to stay there. I'm not sure if it's my configuration (I didn't explicitly set it this way), but if I try to force it to go back to HTTP, it "forgets" that I'm logged in, so I'm assuming it's setting the login cookie as HTTPS-only.
Hope this helps.
- --
Jeffrey T. Darlington General Protection Fault http://www.gpf-comics.com/
On 2014-01-22 7:41 AM, Jeffrey T. Darlington wrote:
On 1/22/2014 10:27 AM, Al wrote:
I have SSL setup and working with apache and can browse the site
with http or https, but does anyone know how to make mediaWiki switch to https when logging on? Or, at the very least, switch temporarily just for the login?
I'm not sure if this is the "right" way of doing things (it doesn't take into account non-English languages, but I run an English-only wiki), but I managed to do this with mod_rewrite. Note that I use short URLs (path /wiki/, with the "raw" path being /wikix/):
Not the "right" way, the "right" way is to use $wgSecureLogin. https://www.mediawiki.org/wiki/Manual:$wgSecureLogin
Though I'm not sure of it's state.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
On Wed, Jan 22, 2014 at 7:27 AM, Al alj62888@yahoo.com wrote:
Hi,
I have SSL setup and working with apache and can browse the site with http or https, but does anyone know how to make mediaWiki switch to https when logging on? Or, at the very least, switch temporarily just for the login?
If you've already got a fully functional https setup alongside your http setup, you should just be able to set $wgSecureLogin to true.
https://www.mediawiki.org/wiki/Manual:$wgSecureLogin
-Chad
Thanks everyone! $wgSecureLogin alone worked!
On Wednesday, January 22, 2014 8:49 AM, Chad innocentkiller@gmail.com wrote:
On Wed, Jan 22, 2014 at 7:27 AM, Al alj62888@yahoo.com wrote:
Hi,
I have SSL setup and working with apache and can browse the site with http or https, but does anyone know how to make mediaWiki switch to https when logging on? Or, at the very least, switch temporarily just for the login?
If you've already got a fully functional https setup alongside your http setup, you should just be able to set $wgSecureLogin to true.
https://www.mediawiki.org/wiki/Manual:$wgSecureLogin
-Chad
You can put something like this to your LocalSettings.php:
---
$wgServer = "http://example.com";
$wgHooks['BeforeInitialize'][] = 'redirectIfLoggedIn';
function redirectIfLoggedIn( &$title, &$article, &$output, &$user, $request, $mediaWiki ){ if ($user->isLoggedIn()) { if (strpos($title->getFullURL(),"http:") === 0){ header('Location: '.str_replace("http","https",$title->getFullURL())); exit; } else{ $wgServer = "https://example.com"; } } return true; }
---
2014/1/22 Al alj62888@yahoo.com
Hi,
I have SSL setup and working with apache and can browse the site with http or https, but does anyone know how to make mediaWiki switch to https when logging on? Or, at the very least, switch temporarily just for the login?
Thanks, Al _______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
On 2014-01-22 7:54 AM, dsge herr wrote:
You can put something like this to your LocalSettings.php:
$wgServer = "http://example.com";
$wgHooks['BeforeInitialize'][] = 'redirectIfLoggedIn';
function redirectIfLoggedIn( &$title, &$article, &$output, &$user, $request, $mediaWiki ){ if ($user->isLoggedIn()) { if (strpos($title->getFullURL(),"http:") === 0){ header('Location: '.str_replace("http","https",$title->getFullURL())); exit; } else{ $wgServer = "https://example.com"; } } return true; }
I was going to clean this up, but then realized it was broken. It only takes effect after a user has already logged in. Meaning the user visits over http -> goes to the login form over http -> submits their password over http -> receives their session key and potential user_token over http -> then finally gets redirected to https. So the https redirection is worthless as the user has already kindly handed their password over to any MITM.
But some other pointers.
* :/ Please do not use getFullURL like that. o It's a horrible way to test for http (and in this case I don't believe it even has a meaning as I don't think that test will ever return saying that it starts with https) o getFullURL is not the correct URL to redirect to. * You never want to change $wgServer like that, it gets cached in parser caches/etc... so you will end up with broken navigation. * $wgServer also was missing a global declaration. * These tests don't take into account readers attempting to browse over https and leaves wgServer set to http for them.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
On Jan 22, 2014 7:29 AM, "Al" alj62888@yahoo.com wrote:
Hi,
I have SSL setup and working with apache and can browse the site with
http or https, but does anyone know how to make mediaWiki switch to https when logging on? Or, at the very least, switch temporarily just for the login?
If you can run https for everyone, set wgServer and canonical url to the https version. Then setup an apache (or whatever web server you're running) rule to redirect any http traffic to https.
If you only want https for login and established sessions, use wgSecureLogin. We use that on WMF domains, so if you have any issues with it please open a bug and we'll get it fixed up.
Thanks, Al _______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org