[Mediawiki-l] Plugin: Require HTTPS for SpecialUserlogin

Michael B Allen ioplex at gmail.com
Sat Aug 11 15:22:03 UTC 2007


I have a plugin for authenticating clients against the central
directory on large Intranets. In this environment it is not ok to use
directory passwords within an insecure login form. These passwords
must be encrypted.

I would like to create a plugin that requires HTTPS when calling
SpecialUserlogin with action=submitlogin.

Right now I'm looking at somehow affecting the result of
$titleObject->getLocalUrl so that the https:// protocol may be
injected. I have not quite determined how to direct the client back to
the non-SSL site. Of course Location headers are an option [1] but I
am worried that they might interfere with Single-Sign-On and other
"autoAuthenticate" apparatus and in general they should, in theory,
not be necessary.

Another issue seems to be that because cookies are protected under
SSL, once the client is directed back to the non-SSL site they cannot
access any cookie created during the login. This is easily disabled
but I'm wondering if it is wise to do so.

Does anyone have some comments to add about this problem?


[1] I am aware of the following page but I would explore all options.

More information about the MediaWiki-l mailing list