public inbox for [email protected]
help / color / mirror / Atom feedFrom: Paul Waring <[email protected]>
To: [email protected]
Subject: Re: Can we change auto-logout timing on wiki.postgresql.org?
Date: Wed, 15 May 2013 19:44:10 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <CABUevEwGM-uyOdUnb5eZ3DB5MkHy=0HSA2jshME_6J7ZnptrXw@mail.gmail.com>
References: <CABUevEw0asBAR6jS=aqKBG1OAJmTsMP1FiocCm-cLJfqGEAm_w@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CABUevEwn9jDpaVSHb9c74WR0tOjjZYPgk4VgpB97V9+Go4dtYQ@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<WM!6f81d4c6e742a2b2e3d05d562d6f85a8314ec6a0b3f63f5b8be4d64c57f7b02482dec7186106ca106b322f17626502d5!@asav-3.01.com>
<[email protected]>
<WM!37cb11f20c82bbcbf2b5b0690afbc76a85af2e1945a0c0301135623c827073650ec7efd75f04e813f33eaad01e3b9bbe!@asav-2.01.com>
<[email protected]>
<CABUevEwGM-uyOdUnb5eZ3DB5MkHy=0HSA2jshME_6J7ZnptrXw@mail.gmail.com>
List-Unsubscribe: <mailto:[email protected]?body=unsub%20pgsql-www>
On 15/05/13 19:00, Magnus Hagander wrote:
> On Wed, May 15, 2013 at 7:58 PM, Josh Berkus <[email protected]> wrote:
>> On 05/15/2013 10:55 AM, Josh Berkus wrote:
>>> WWW,
>>>
>>> First off, whatever tuning you did didn't work. I'm still getting
>>> logged out, after considerably less than 6 hours. I'd say about 20min,
>>> in fact.
>>
>> Wait, no. That's not the issue. The real issue is somewhat stranger.
>>
>> 1. log into wiki.postgresql.org.
>>
>> 2. in a new browser tab/window, follow this link:
>>
>> http://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting
>>
>> ... you will find yourself not logged in on that tab, even though you
>> are on another tab.
>>
>> 3. now click this link:
>>
>> https://wiki.postgresql.org/wiki/PgCon_2013_Developer_Meeting
>>
>> ... now you're logged in. WTF? Apparently login state is only detected
>> for HTTPS links?
>
> Yes, the login cookie is set to be sent only over https, for security reasons.
>
> For our other websites, this will be automatically detected and you
> get redirected to https (try going to your account page on the main
> website with http for example), but at last I don't know of a way to
> do that in mediawiki.
>
> Should be easy enough to see - check your mediawiki cookies, and
> you'll see they are enabled for https only.
That's not quite accurate - there are three cookies set by *.postgresql.org:
postgresql.org - csrftoken (expires a year after being set)
postgresql.org - sessionid (expires two weeks after being set)
wiki.postgresql.org - wikidb_session (expires on browser close)
Only the sessionid cookie requires a https connection, the other cookies
will be sent if a request is made over a http connection.
If all wiki connections should be over https - including guests - then
that can be accomplished via a simple rule in the Apache virtual host
configuration. If only logged in users require https then you'd need
either a plugin to handle this, or register a 'hook' which is a small
piece of PHP which is run before Mediawiki displays a page and forces a
redirect if the request was not made over https *and* the wikidb_session
cookie is set.
--
Paul Waring
http://www.pwaring.com
--
Sent via pgsql-www mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-www
view thread (42+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: Can we change auto-logout timing on wiki.postgresql.org?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox