[Mediawiki-l] HTTPS for Login Only No Longer Possible with 1.11?
Michael B Allen
ioplex at gmail.com
Thu Sep 20 01:39:58 UTC 2007
Hi All,
In previous releases it was possible to do authentication under HTTPS
and then redirect the client to HTTP with a Location header as
described here:
http://meta.wikimedia.org/wiki/Help:Configuration_tips_and_tricks#HTTPS_on_Login_only
But it seems with 1.11 something has changed as the session is
destroyed when flipping back to HTTP. In fact, the session isn't
initialized at all for unauthenticated users. Is that by design? Is
there an option to change this behavior?
Without being able maintain the session while transitioning from HTTPS
to HTTP theres no way to use the login form securely short of simply
using HTTPS all the time.
To reproduce, login under HTTPS. Then go to HTTP and you should see
that you're no longer logged in.
Thanks,
Mike
More information about the MediaWiki-l
mailing list