Re: Can we change auto-logout timing on wiki.postgresql.org? - Mailing list pgsql-www

From Paul Waring
Subject Re: Can we change auto-logout timing on wiki.postgresql.org?
Date
Msg-id 5193D77A.70403@xk7.net
Whole thread Raw
In response to Re: Can we change auto-logout timing on wiki.postgresql.org?  (Magnus Hagander <magnus@hagander.net>)
Responses Re: Can we change auto-logout timing on wiki.postgresql.org?
List pgsql-www
On 15/05/13 19:00, Magnus Hagander wrote:
> On Wed, May 15, 2013 at 7:58 PM, Josh Berkus <josh@agliodbs.com> wrote:
>> On 05/15/2013 10:55 AM, Josh Berkus wrote:
>>> WWW,
>>>
>>> First off, whatever tuning you did didn't work.  I'm still getting
>>> logged out, after considerably less than 6 hours.  I'd say about 20min,
>>> in fact.
>>
>> Wait, no.  That's not the issue.  The real issue is somewhat stranger.
>>
>> 1. log into wiki.postgresql.org.
>>
>> 2. in a new browser tab/window, follow this link:
>>
>> http://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting
>>
>> ... you will find yourself not logged in on that tab, even though you
>> are on another tab.
>>
>> 3. now click this link:
>>
>> https://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting
>>
>> ... now you're logged in. WTF? Apparently login state is only detected
>> for HTTPS links?
>
> Yes, the login cookie is set to be sent only over https, for security reasons.
>
> For our other websites, this will be automatically detected and you
> get redirected to https (try going to your account page on the main
> website with http for example), but at last I don't know of a way to
> do that in mediawiki.
>
> Should be easy enough to see - check your mediawiki cookies, and
> you'll see they are enabled for https only.

That's not quite accurate - there are three cookies set by *.postgresql.org:

postgresql.org - csrftoken (expires a year after being set)
postgresql.org - sessionid (expires two weeks after being set)
wiki.postgresql.org - wikidb_session (expires on browser close)

Only the sessionid cookie requires a https connection, the other cookies 
will be sent if a request is made over a http connection.

If all wiki connections should be over https - including guests - then 
that can be accomplished via a simple rule in the Apache virtual host 
configuration. If only logged in users require https then you'd need 
either a plugin to handle this, or register a 'hook' which is a small 
piece of PHP which is run before Mediawiki displays a page and forces a 
redirect if the request was not made over https *and* the wikidb_session 
cookie is set.

-- 
Paul Waring
http://www.pwaring.com



pgsql-www by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: Can we change auto-logout timing on wiki.postgresql.org?
Next
From: Magnus Hagander
Date:
Subject: Re: Can we change auto-logout timing on wiki.postgresql.org?