[Mediawiki-l] Plugin: Require HTTPS for SpecialUserlogin

Daniel Barrett danb at VistaPrint.com
Tue Aug 14 17:52:10 UTC 2007


The tricky part is handling all the other pages.  If your login page is
secure, then all the links appearing on the login page (e.g., navigation
links) also become secure because MediaWiki uses site-relative links.
So your webserver config somehow needs to say, "Always make the login
page secure, and also always make every other page non-secure. And by
the way, handle cookies properly so you don't set secure cookies by
accident, rendering your sessions invalid."  I didn't see a way to do
this, but then I'm not the ultimate Apache hacker.

IMHO, this feature (a secure login page) is so common, and so tricky to
get 100% correct, that it should be supplied with the MediaWiki base
software.

DanB

-----Original Message-----
Thomas Dalton asked:
Is there any way to do this in the server configuration, rather than in
MediaWiki? Just tell the server to always use https for that particular
page. (This may well be impossible, especially since the request is
initiated by the user, not the server, but if it's possible, it would be
easier than hacking MediaWiki.)





More information about the MediaWiki-l mailing list