Le 16/11/12 22:04, Brion Vibber a écrit : <snip>
Do we have a timetable for migrating all login sessions to HTTPS yet? I love that we've got a clean HTTPS option available, but it really skeezes me out that we still allow logins and passwords over plain HTTP.
-- brion
I guess it is all about enabling $wgSecureLogin [1] which would force the login form to use HTTPS for its POST. I speedy hacked it two years ago and Chris Steipp has fixed it a few weeks ago.
Maybe we could enable it on test first and see how it goes?
[1] http://www.mediawiki.org/wiki/Manual:$wgSecureLogin