[Mediawiki-l] Plugin: Require HTTPS for SpecialUserlogin

Michael B Allen ioplex at gmail.com
Sun Aug 12 16:04:59 UTC 2007

Well this is what I came up with. Still uses a Location header after
the user logs in but it targets the login form action more
specifically and the code is relatively simple. Most of it deals with
simply coming up with a URL to redirect the client to after they login
so that they don't have an opportunity to branch off into https land.
And most importantly it seems to work well.

Of course I'd be interested if anyone thinks they can improve on this
or if they endorse the methods used.


function userLoginForm($template) {
    global $wgServerName;

    $action = $template->data['action'];
    $template->set('action', 'https://' . $wgServerName . $action);

    $returnto = 'Main_Page';
    if (isset($_GET['returnto'])) {
        switch ($_GET['returnto']) {
            case 'Special:Userlogin':
            case 'Special:Userlogout':
                $returnto = $_GET['returnto'];
    $title = Title::newFromText($returnto);
    if ($title)
        $_SESSION['returntourl'] = $title->getFullURL();
function autoAuthenticate($user) {
    if (isset($_GET['title']) &&
                isset($_GET['action']) &&
                $_GET['title'] == 'Special:Userlogin' &&
                $_GET['action'] == 'submitlogin') {
        if (isset($_SESSION['returntourl'])) {
            global $wgCookieSecure;
            $wgCookieSecure = false;
            header('Location: ' . $_SESSION['returntourl']);

    return TRUE;
$wgHooks['UserLoginForm'][] = 'userLoginForm';
$wgHooks['AutoAuthenticate'][] = 'autoAuthenticate';

More information about the MediaWiki-l mailing list