Re: Can we change auto-logout timing on wiki.postgresql.org? - Mailing list pgsql-www
| From | Paul Waring |
|---|---|
| Subject | Re: Can we change auto-logout timing on wiki.postgresql.org? |
| Date | |
| Msg-id | 5193DE2E.8060107@xk7.net Whole thread Raw |
| In response to | Re: Can we change auto-logout timing on wiki.postgresql.org? (Magnus Hagander <magnus@hagander.net>) |
| List | pgsql-www |
On 15/05/13 19:47, Magnus Hagander wrote: > On Wed, May 15, 2013 at 8:44 PM, Paul Waring <paul@xk7.net> wrote: >> On 15/05/13 19:00, Magnus Hagander wrote: >>> >>> On Wed, May 15, 2013 at 7:58 PM, Josh Berkus <josh@agliodbs.com> wrote: >>>> >>>> On 05/15/2013 10:55 AM, Josh Berkus wrote: >>>>> >>>>> WWW, >>>>> >>>>> First off, whatever tuning you did didn't work. I'm still getting >>>>> logged out, after considerably less than 6 hours. I'd say about 20min, >>>>> in fact. >>>> >>>> >>>> Wait, no. That's not the issue. The real issue is somewhat stranger. >>>> >>>> 1. log into wiki.postgresql.org. >>>> >>>> 2. in a new browser tab/window, follow this link: >>>> >>>> http://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting >>>> >>>> ... you will find yourself not logged in on that tab, even though you >>>> are on another tab. >>>> >>>> 3. now click this link: >>>> >>>> https://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting >>>> >>>> ... now you're logged in. WTF? Apparently login state is only detected >>>> for HTTPS links? >>> >>> >>> Yes, the login cookie is set to be sent only over https, for security >>> reasons. >>> >>> For our other websites, this will be automatically detected and you >>> get redirected to https (try going to your account page on the main >>> website with http for example), but at last I don't know of a way to >>> do that in mediawiki. >>> >>> Should be easy enough to see - check your mediawiki cookies, and >>> you'll see they are enabled for https only. >> >> >> That's not quite accurate - there are three cookies set by *.postgresql.org: >> >> postgresql.org - csrftoken (expires a year after being set) > > That one is, I believe, not actually part of that site. It's leaking > over fromthe main website. > >> postgresql.org - sessionid (expires two weeks after being set) >> wiki.postgresql.org - wikidb_session (expires on browser close) >> >> Only the sessionid cookie requires a https connection, the other cookies >> will be sent if a request is made over a http connection. > > Yes. But the interesting cookies here are wikidbUserID and wikidbUserName. > > >> If all wiki connections should be over https - including guests - then that >> can be accomplished via a simple rule in the Apache virtual host >> configuration. If only logged in users require https then you'd need either > > Assumign we used apache. But yes, that's a trivial configuration in > any webserver. That is not the current intention, though we might want > to revisit that in the future. > >> a plugin to handle this, or register a 'hook' which is a small piece of PHP >> which is run before Mediawiki displays a page and forces a redirect if the >> request was not made over https *and* the wikidb_session cookie is set. > > Do you know if there's a readymade plugin that supports this? There does not appear to be one - the two which did exist have been deprecated and not updated since 2009, and in any case they only forced https on pages such as the login. -- Paul Waring http://www.pwaring.com