I suspect the explanation is simpler than that. I wonder if your previous attempt did not handle the secure cookie issue mentioned in the code...?
DanB
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Michael B Allen Sent: Thursday, September 20, 2007 2:20 PM To: mediawiki-l@lists.wikimedia.org Subject: Re: [Mediawiki-l] HTTPS for Login Only No Longer Possible with 1.11?
Hi DanB,
Well indeed that code does work. But I have to admit I'm dumb founded as to how. If you login under HTTPS and then drop the 'S' and go to an HTTP page, you're no longer logged in. But for some reason, if a Location header is used for both redirecting into Special:Userlogin and out of HTTPS immediately after logging in, the session is maintained and user remains logged in. It seems there's a delicate sequence that must be followed for the session to be initialized under HTTPS when the login form is emitted and to maintain that session when transitioning from HTTPS to HTTP.