I'm the author of the second (longer) method on that page. It's working fine for us on 1.11.0 with no changes.
DanB
-----Original Message----- Michael B Allen asks:
In previous releases it was possible to do authentication under HTTPS and then redirect the client to HTTP with a Location header as described here:
http://meta.wikimedia.org/wiki/Help:Configuration_tips_and_tricks#HTTPS_ on_Login_only
But it seems with 1.11 something has changed as the session is destroyed when flipping back to HTTP. In fact, the session isn't initialized at all for unauthenticated users. Is that by design? Is there an option to change this behavior?
Without being able maintain the session while transitioning from HTTPS to HTTP theres no way to use the login form securely short of simply using HTTPS all the time.
To reproduce, login under HTTPS. Then go to HTTP and you should see that you're no longer logged in.
Thanks, Mike