On Mon, Oct 3, 2011 at 12:13 PM, Ashar Voultoiz <[email protected]> wrote:
> Can you possible enable $wgSecureLogin on all wiki? The feature let you > login under HTTPS when you are come from HTTP. > > Man page: > http://www.mediawiki.org/wiki/Manual:$wgSecureLogin > > Revisions: > http://www.mediawiki.org/wiki/Special:Code/MediaWiki/75585 > Hmm, this seems to indicate it will return you to http: after authenticating; this is an unsafe practice which I would recommend strongly against. If you log in on HTTPS, we want to make sure that no session data (eg login cookies) can leak to HTTP -- where someone on your wireless network could hijack your session, delete a thousand pages on Wikipedia, and get your account locked out. Note also that there appear to still be issues with native SSL when there are multiple subdomain levels, eg < https://bugzilla.wikimedia.org/show_bug.cgi?id=29896#c4> so we're not in a hurry to point everybody at those https: links until some further shakedown and fixes. :) -- brion _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
