[wplug-internet] [#KDT-295-77649]: Re: SSL Certificate Renewal Notice:www.wplug.org
Pat Barron
pat at lectroid.com
Mon Aug 31 08:49:24 EDT 2015
On 08/30/2015 10:42 PM, Vance Kochenderfer wrote:
> Pat Barron wrote:
>> One issue is, the HTTPS versions of the pages aren't styled correctly.
>> I suspect this is something in the Mediawiki settings. You can look at
>> some pages using HTTPS to see what I mean.
>
> The stylesheet and javascript were being loaded over HTTP. I set
> $wgServer <https://www.mediawiki.org/wiki/Manual:$wgServer> to a
> protocol-relative address (//www.wplug.org) so that these can be served
> over either HTTP or HTTPS as needed. You should get no warnings now.
Thanks - looks good!
>
>> Another issue is, if someone comes in on the HTTP version of the page
>> and logs in, and we redirect them to HTTPS to log in, and then they flip
>> back to HTTP to use the site - does the authentication cookie still work
>> for them, or is it constrained to only be honored when using HTTPS?
>> That may be somewhere in the Mediawiki settings, too. If there's no way
>> to make that happen (not setting the "Secure" flag on the cookie), then
>> I guess we'd need to redirect all traffic to the wiki into HTTPS and
>> declare HTTP on the wiki to be deprecated.
>
> You could look at <https://www.mediawiki.org/wiki/Manual:$wgSecureLogin>
> and <https://www.mediawiki.org/wiki/Manual:$wgCookieSecure>. However,
> in general I am personally opposed to forcing HTTPS on someone who
> requested HTTP.
In general, I am, too - thus the question I raised. ;-) I am, however,
OK with forcing HTTPS for entry of a password (or at least, making it
the default for that, before resuming the use of whatever transport the
user originally was using). Will check out the documentation you
mentioned....
--Pat.
More information about the wplug-internet
mailing list