From: | Paul Waring <paul(at)xk7(dot)net> |
---|---|
To: | pgsql-www(at)postgresql(dot)org |
Subject: | Re: Can we change auto-logout timing on wiki.postgresql.org? |
Date: | 2013-05-15 19:12:46 |
Message-ID: | 5193DE2E.8060107@xk7.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On 15/05/13 19:47, Magnus Hagander wrote:
> On Wed, May 15, 2013 at 8:44 PM, Paul Waring <paul(at)xk7(dot)net> wrote:
>> On 15/05/13 19:00, Magnus Hagander wrote:
>>>
>>> On Wed, May 15, 2013 at 7:58 PM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>>>>
>>>> On 05/15/2013 10:55 AM, Josh Berkus wrote:
>>>>>
>>>>> WWW,
>>>>>
>>>>> First off, whatever tuning you did didn't work. I'm still getting
>>>>> logged out, after considerably less than 6 hours. I'd say about 20min,
>>>>> in fact.
>>>>
>>>>
>>>> Wait, no. That's not the issue. The real issue is somewhat stranger.
>>>>
>>>> 1. log into wiki.postgresql.org.
>>>>
>>>> 2. in a new browser tab/window, follow this link:
>>>>
>>>> http://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting
>>>>
>>>> ... you will find yourself not logged in on that tab, even though you
>>>> are on another tab.
>>>>
>>>> 3. now click this link:
>>>>
>>>> https://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting
>>>>
>>>> ... now you're logged in. WTF? Apparently login state is only detected
>>>> for HTTPS links?
>>>
>>>
>>> Yes, the login cookie is set to be sent only over https, for security
>>> reasons.
>>>
>>> For our other websites, this will be automatically detected and you
>>> get redirected to https (try going to your account page on the main
>>> website with http for example), but at last I don't know of a way to
>>> do that in mediawiki.
>>>
>>> Should be easy enough to see - check your mediawiki cookies, and
>>> you'll see they are enabled for https only.
>>
>>
>> That's not quite accurate - there are three cookies set by *.postgresql.org:
>>
>> postgresql.org - csrftoken (expires a year after being set)
>
> That one is, I believe, not actually part of that site. It's leaking
> over fromthe main website.
>
>> postgresql.org - sessionid (expires two weeks after being set)
>> wiki.postgresql.org - wikidb_session (expires on browser close)
>>
>> Only the sessionid cookie requires a https connection, the other cookies
>> will be sent if a request is made over a http connection.
>
> Yes. But the interesting cookies here are wikidbUserID and wikidbUserName.
>
>
>> If all wiki connections should be over https - including guests - then that
>> can be accomplished via a simple rule in the Apache virtual host
>> configuration. If only logged in users require https then you'd need either
>
> Assumign we used apache. But yes, that's a trivial configuration in
> any webserver. That is not the current intention, though we might want
> to revisit that in the future.
>
>> a plugin to handle this, or register a 'hook' which is a small piece of PHP
>> which is run before Mediawiki displays a page and forces a redirect if the
>> request was not made over https *and* the wikidb_session cookie is set.
>
> Do you know if there's a readymade plugin that supports this?
There does not appear to be one - the two which did exist have been
deprecated and not updated since 2009, and in any case they only forced
https on pages such as the login.
--
Paul Waring
http://www.pwaring.com
From | Date | Subject | |
---|---|---|---|
Next Message | Maria Ramos | 2013-05-16 09:46:27 | Consent to translate your web page at http://wiki.postgresql.org/ |
Previous Message | Magnus Hagander | 2013-05-15 18:47:19 | Re: Can we change auto-logout timing on wiki.postgresql.org? |