[wplug-internet] [#KDT-295-77649]: Re: SSL Certificate Renewal Notice:www.wplug.org
Vance Kochenderfer
vance at happylemur.com
Sun Aug 30 22:42:44 EDT 2015
Pat Barron wrote:
> One issue is, the HTTPS versions of the pages aren't styled correctly.
> I suspect this is something in the Mediawiki settings. You can look at
> some pages using HTTPS to see what I mean.
The stylesheet and javascript were being loaded over HTTP. I set
$wgServer <https://www.mediawiki.org/wiki/Manual:$wgServer> to a
protocol-relative address (//www.wplug.org) so that these can be served
over either HTTP or HTTPS as needed. You should get no warnings now.
> Another issue is, if someone comes in on the HTTP version of the page
> and logs in, and we redirect them to HTTPS to log in, and then they flip
> back to HTTP to use the site - does the authentication cookie still work
> for them, or is it constrained to only be honored when using HTTPS?
> That may be somewhere in the Mediawiki settings, too. If there's no way
> to make that happen (not setting the "Secure" flag on the cookie), then
> I guess we'd need to redirect all traffic to the wiki into HTTPS and
> declare HTTP on the wiki to be deprecated.
You could look at <https://www.mediawiki.org/wiki/Manual:$wgSecureLogin>
and <https://www.mediawiki.org/wiki/Manual:$wgCookieSecure>. However,
in general I am personally opposed to forcing HTTPS on someone who
requested HTTP.
Vance Kochenderfer | "Get me out of these ropes and into a
vance at happylemur.com | good belt of Scotch" -Nick Danger
More information about the wplug-internet
mailing list