On Wed, May 15, 2013 at 8:44 PM, Paul Waring <paul@xk7.net> wrote:
> On 15/05/13 19:00, Magnus Hagander wrote:
>>
>> On Wed, May 15, 2013 at 7:58 PM, Josh Berkus <josh@agliodbs.com> wrote:
>>>
>>> On 05/15/2013 10:55 AM, Josh Berkus wrote:
>>>>
>>>> WWW,
>>>>
>>>> First off, whatever tuning you did didn't work. I'm still getting
>>>> logged out, after considerably less than 6 hours. I'd say about 20min,
>>>> in fact.
>>>
>>>
>>> Wait, no. That's not the issue. The real issue is somewhat stranger.
>>>
>>> 1. log into wiki.postgresql.org.
>>>
>>> 2. in a new browser tab/window, follow this link:
>>>
>>> http://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting
>>>
>>> ... you will find yourself not logged in on that tab, even though you
>>> are on another tab.
>>>
>>> 3. now click this link:
>>>
>>> https://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting
>>>
>>> ... now you're logged in. WTF? Apparently login state is only detected
>>> for HTTPS links?
>>
>>
>> Yes, the login cookie is set to be sent only over https, for security
>> reasons.
>>
>> For our other websites, this will be automatically detected and you
>> get redirected to https (try going to your account page on the main
>> website with http for example), but at last I don't know of a way to
>> do that in mediawiki.
>>
>> Should be easy enough to see - check your mediawiki cookies, and
>> you'll see they are enabled for https only.
>
>
> That's not quite accurate - there are three cookies set by *.postgresql.org:
>
> postgresql.org - csrftoken (expires a year after being set)
That one is, I believe, not actually part of that site. It's leaking
over fromthe main website.
> postgresql.org - sessionid (expires two weeks after being set)
> wiki.postgresql.org - wikidb_session (expires on browser close)
>
> Only the sessionid cookie requires a https connection, the other cookies
> will be sent if a request is made over a http connection.
Yes. But the interesting cookies here are wikidbUserID and wikidbUserName.
> If all wiki connections should be over https - including guests - then that
> can be accomplished via a simple rule in the Apache virtual host
> configuration. If only logged in users require https then you'd need either
Assumign we used apache. But yes, that's a trivial configuration in
any webserver. That is not the current intention, though we might want
to revisit that in the future.
> a plugin to handle this, or register a 'hook' which is a small piece of PHP
> which is run before Mediawiki displays a page and forces a redirect if the
> request was not made over https *and* the wikidb_session cookie is set.
Do you know if there's a readymade plugin that supports this?
--Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
