On Tue, Aug 20, 2013 at 11:07 AM, James Alexander jalexander@wikimedia.orgwrote:
- The 'force https' preference is an option that is, by default, turned
off.
It is turned on by default when $wgSecureLogin is enabled.
- However, for most wikis (not all), force https login is turned on.
That will be the case come tomorrow, yes.
- Because forced https login is turned on the 'default' for those people
will be to move from an https login to an https page because our normal workflow is to always keep you on https if you are already on https (if you are on page X, like a login page, in https then the next page X2 is also in https).
Yes, this is correct.
- However, if you drop yourself down to http (for example just load the
page in http by dropping the s from the address bar and pressing enter) you will not be forced back to https by default for the same reason (our normal workflow) assuming that you have not turned on the https preference.
No, it will put you back on HTTPS as that was the default. You have to turn the preference off.
- If you login from an http (non secure) login page such as zhWiki or
faWiki you will be able to remain logged in while going to a non secure wiki page (http://en.wikipedia.org ) and not be forced to https (unless you selected that in your preference).
Preferences are local, so unless the local preference has been set to false, you would end up on HTTPS.
On a side note: I assume the preference is wiki based rather then global?
Correct.
I'm beginning to think there's a disconnect between what we coded and what people expect. The preference is *on* by default which I think is what's going to cause problems. We can change defaults before tomorrow so I think we should all be clear.
-Chad