[Mediawiki-l] Plugin: Require HTTPS for SpecialUserlogin
Jim Wilson
wilson.jim.r at gmail.com
Sat Aug 11 17:01:01 UTC 2007
> Another issue seems to be that because cookies are protected under
> SSL, once the client is directed back to the non-SSL site they cannot
> access any cookie created during the login. This is easily disabled
> but I'm wondering if it is wise to do so.
When a server sets a cookie in an HTTP response, it can optionally be marked
'secure' - if so, the browser will only return the cookie on subsequent
requests IF the connection is over HTTPS.
Cookies may be marked secure or not independently of whether the request is
HTTP or HTTPS. It sounds like in your case, the server is adding the
'secure' flag.
More info available here: http://www.cookiecentral.com/faq/#3.3
Good luck!
-- Jim R. Wilson (jimbojw)
On 8/11/07, Michael B Allen <ioplex at gmail.com> wrote:
>
> Hi,
>
> I have a plugin for authenticating clients against the central
> directory on large Intranets. In this environment it is not ok to use
> directory passwords within an insecure login form. These passwords
> must be encrypted.
>
> I would like to create a plugin that requires HTTPS when calling
> SpecialUserlogin with action=submitlogin.
>
> Right now I'm looking at somehow affecting the result of
> $titleObject->getLocalUrl so that the https:// protocol may be
> injected. I have not quite determined how to direct the client back to
> the non-SSL site. Of course Location headers are an option [1] but I
> am worried that they might interfere with Single-Sign-On and other
> "autoAuthenticate" apparatus and in general they should, in theory,
> not be necessary.
>
> Another issue seems to be that because cookies are protected under
> SSL, once the client is directed back to the non-SSL site they cannot
> access any cookie created during the login. This is easily disabled
> but I'm wondering if it is wise to do so.
>
> Does anyone have some comments to add about this problem?
>
> Mike
>
> [1] I am aware of the following page but I would explore all options.
>
> http://meta.wikimedia.org/wiki/Help:Configuration_tips_and_tricks#HTTPS_on_Login_only
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
More information about the MediaWiki-l
mailing list