On 2014-01-22 7:54 AM, dsge herr wrote:
You can put something like this to your
LocalSettings.php:
---
$wgServer = "http://example.com";
$wgHooks['BeforeInitialize'][] = 'redirectIfLoggedIn';
function redirectIfLoggedIn( &$title, &$article, &$output, &$user,
$request, $mediaWiki ){
if ($user->isLoggedIn()) {
if (strpos($title->getFullURL(),"http:") === 0){
header('Location:
'.str_replace("http","https",$title->getFullURL()));
exit;
}
else{
$wgServer = "https://example.com";
}
}
return true;
}
I was going to clean this up, but then realized it was broken.
It only takes effect after a user has already logged in.
Meaning the user visits over http -> goes to the login form over http ->
submits their password over http -> receives their session key and
potential user_token over http -> then finally gets redirected to https.
So the https redirection is worthless as the user has already kindly
handed their password over to any MITM.
But some other pointers.
* :/ Please do not use getFullURL like that.
o It's a horrible way to test for http (and in this case I don't
believe it even has a meaning as I don't think that test will
ever return saying that it starts with https)
o getFullURL is not the correct URL to redirect to.
* You never want to change $wgServer like that, it gets cached in
parser caches/etc... so you will end up with broken navigation.
* $wgServer also was missing a global declaration.
* These tests don't take into account readers attempting to browse
over https and leaves wgServer set to http for them.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]