I suspect the explanation is simpler than that. I wonder if your
previous attempt did not handle the secure cookie issue mentioned in the
code...?
DanB
-----Original Message-----
From: mediawiki-l-bounces(a)lists.wikimedia.org
[mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Michael B
Allen
Sent: Thursday, September 20, 2007 2:20 PM
To: mediawiki-l(a)lists.wikimedia.org
Subject: Re: [Mediawiki-l] HTTPS for Login Only No Longer Possible with
1.11?
Hi DanB,
Well indeed that code does work. But I have to admit I'm dumb founded
as to how. If you login under HTTPS and then drop the 'S' and go to an
HTTP page, you're no longer logged in. But for some reason, if a
Location header is used for both redirecting into Special:Userlogin
and out of HTTPS immediately after logging in, the session is
maintained and user remains logged in. It seems there's a delicate
sequence that must be followed for the session to be initialized under
HTTPS when the login form is emitted and to maintain that session when
transitioning from HTTPS to HTTP.