[Mediawiki-l] HTTPS for Login Only No Longer Possible with 1.11?
Daniel Barrett
danb at VistaPrint.com
Thu Sep 20 12:57:18 UTC 2007
I'm the author of the second (longer) method on that page. It's working
fine for us on 1.11.0 with no changes.
DanB
-----Original Message-----
Michael B Allen asks:
In previous releases it was possible to do authentication under HTTPS
and then redirect the client to HTTP with a Location header as
described here:
http://meta.wikimedia.org/wiki/Help:Configuration_tips_and_tricks#HTTPS_
on_Login_only
But it seems with 1.11 something has changed as the session is
destroyed when flipping back to HTTP. In fact, the session isn't
initialized at all for unauthenticated users. Is that by design? Is
there an option to change this behavior?
Without being able maintain the session while transitioning from HTTPS
to HTTP theres no way to use the login form securely short of simply
using HTTPS all the time.
To reproduce, login under HTTPS. Then go to HTTP and you should see
that you're no longer logged in.
Thanks,
Mike
More information about the MediaWiki-l
mailing list